Page MenuHomePhabricator

research and document secure downloads using Tor Browser
Closed, ResolvedPublic

Description

  • assume the user has only a single open tab
  • assume the user knows he is pasting an https link into the url bar
  • assume https everywhere is not effective for that website
  • assume the website does not use HSTS
  • assume the website does not use HSTS preloading
  • assume the website does not use HTTP Public Key Pinning (HPKP)

In this situation there was a bug. The user has no way to know if the file is being downloaded over https over if sslstrip made the user download over plain http. It's because one cannot see a padlock. It's just empty. I have no bug report for reference handy.

Could you research please if this is still the case? And reference a bug report? @HulaHoop

Details

Impact
Normal

Event Timeline

Patrick created this task.May 18 2017, 2:42 PM
Patrick added a subscriber: Ego.May 18 2017, 6:17 PM

I think I found the topic you're paraphrasing which explains the limitations of HSTS:

"HSTS is designed to FORCE the use of https, this is a good thing in most cases. However, HSTS is problematic in that it incorrectly assumes that all users trust the default list of CAs and makes the adding of exceptions impossible even by advanced users.

torprojec.org [sic] is just an example, this effects every HSTS site. You can reproduce this problem yourself in version 17 or later if you temporary disable "DigiCert High Assurance EV Root CA" in your certificate store and then visit torproject.org. You will notice the ability to add exceptions has been removed and that the cert_override.txt file found in the user's profile is also ignored."

https://support.mozilla.org/en-US/questions/942924


HPKP limits trust from all CAs to just a few. Its an improvement over the status quo but unless keys are managed vigilantly, sites risk breaking connections of all their users. So many sites especially major ones decide against taking this risk.

https://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html


Without HSTS a site that has non-encrypted resources/subdomains or pages is vulnerable to sslstrip.

https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly

Well, if you explicitly type/paste "https://" in the url, sslstrip and
similar do not apply. But very few people do that, most follow some
link, or type just "www.torproject.org" instead of
"https://www.torproject.org".

I see, so if a link to a file download with https:// is pasted into a browser, we can be sure that ssl will be used (at least without the browser showing a warning about an attempted sslstrip attack). The issue is only, that the ssl certificate button / padlock is invisible. That's something we can document.

Patrick closed this task as Resolved.May 24 2017, 11:10 PM