[tor-bugs] #28727 [Obfuscation/Snowflake]: Remove `broker` and `relay` query string parameters from Snowflake proxy
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Dec 4 19:30:43 UTC 2018
#28727: Remove `broker` and `relay` query string parameters from Snowflake proxy
---------------------------------------+--------------------
Reporter: dcf | Owner: (none)
Type: defect | Status: new
Priority: High | Milestone:
Component: Obfuscation/Snowflake | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
---------------------------------------+--------------------
The browser proxy allows overriding the default
[https://gitweb.torproject.org/pluggable-
transports/snowflake.git/tree/proxy/snowflake.coffee?id=596d28b57628dc57dd44080bb50b435c27c48861#n241
broker] and [https://gitweb.torproject.org/pluggable-
transports/snowflake.git/tree/proxy/snowflake.coffee?id=596d28b57628dc57dd44080bb50b435c27c48861#n254
relay] using query string parameters. This is a security vulnerability
because it can turn browser proxies into a DoS vector against some third
party. An attacker only has to get a massive number of browsers to visit a
URL like
!https://snowflake.example/embed.html?broker=https://victim.example and
those browsers will start sending HTTPS requests to victim.example.
This same vulnerability existed in flash proxy; here are the commits
removing the feature there:
*
[https://gitweb.torproject.org/flashproxy.git/commit/?id=a6af0da52a1c534799e563beba047ef02cc0a9e8
Remove "facilitator" query string parameter.]
*
[https://gitweb.torproject.org/flashproxy.git/commit/?id=d518f2615d977475dabaf4a46fbbe83c5a52801c
Remove "client" and "relay" query string parameters.]
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28727>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list