mirror
/
Enterprise-Onion-Toolkit
kopia lustrzana https://github.com/alecmuffett/eotk
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

Merge pull request #81 from alecmuffett/20200727-security-advisories 

20200727 security advisories
pull/83/head
Alec Muffett 2020-07-27 14:20:25 +01:00 zatwierdzone przez GitHub
rodzic e9712279a6 4e9fabd3e0
commit f160267649
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 4AEE18F83AFDEB23
1 zmienionych plików z 7 dodań i 6 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

13
docs.d/security-advisories.d/001-torbrowser.md
Wyświetl plik

@ -1,6 +1,7 @@
# Security Advisory: Tor Browser Leaks "Secure Cookies" Into Insecure Backend Channels
* v1.0 - 27 July 2020, alec.muffett@gmail.com
* v1.1 - 27 July 2020, alec.muffett@gmail.com - grammar fixes, typos and linkifies
* v1.0 - 27 July 2020, alec.muffett@gmail.com - initial
The master copy of this document resides at:
@ -102,9 +103,9 @@ to the server over HTTPS.
This behaviour is considered one of the fundamentals of web
architecture, such that many server deployments reasonably do not
bother to protect legacy plaintext HTTP connections within their
backend infrastructure because no data of any consequence will ever be
sent to them by the browser.
bother to protect or filter legacy plaintext HTTP connections within
their backend infrastructure because no data of any consequence will
ever be sent to them by any browser.
Unfortunately with this change, TorBrowser has moved from being one
which implements simply a superset of layer-3 connectivity, to one
@ -132,7 +133,7 @@ Fastly or Cloudflare, for handling.
However: with this change TorBrowser **in specific** will leak session
cookies to those third-party CDN sites, which will traverse the
`foo.onion` virtual private cloud, if not the whole internet, in
cleartext where the cookies may be logged and caprtured by state
cleartext where the cookies may be logged and captured by state
surveillance agencies if no other. This problem should be familiar to
people who have seen the "SSL added and removed here" slides from the
Snowden files. No other properly configured browser would behave this
@ -143,7 +144,7 @@ way.
The goal of this change was apparently to enable sites to be adapted
to issue secure cookies for the purposes of enabling login. Tor
excuse this behaviour as being "standards-compatible" and cite
`https://www.w3.org/TR/secure-contexts/` section 3.2 as explicitly
https://www.w3.org/TR/secure-contexts/ section 3.2 as explicitly
permitting a user agent to define a secure context as it sees fit.
Tor further have framed the backend impact as a "communications"