[HTTPS-Everywhere] Fwd: URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere --- RE: HTTPS Everywhere doesn't cover all Facebook sub domains

Peter Eckersley pde at eff.org
Fri May 6 12:04:38 PDT 2011 

It turns out there are a lot of people out there who have accidentally
misconfigured their Firefoxes to not support TLS/SSLv3.  Removing SSLv2
support altogether makes https://www.eff.org completely inaccessible to these
people, but I guess that's a problem we're going to have to live with.

There is supposed to be a second layer of defense here, too: it shouldn't be
possible to modify the URL and updateHash in the update.rdf file -- that file
is signed, and last time I tested it Firefox would refuse to upgrade via an
unsigned update.rdf.  But I'll double check this.

On Fri, May 06, 2011 at 09:05:00AM -0700, Rebecca S. Reagan wrote:
> 
> -------- Original Message --------
> Subject: 	URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere ---
> RE: HTTPS Everywhere doesn't cover all Facebook sub domains
> Date: 	Fri, 6 May 2011 14:42:26 +0000
> From: 	Decime, Jerry (IT Security) <jerry.decime at hp.com>
> To: 	Rebecca Reagan <rsreagan at eff.org>
> 
> 
> 
> Rebecca,
> 
> In addition to the ongoing issues with HTTPS Everywhere not actually
> providing protection when visiting Facebook, it recently performed an
> update for which I was able to get into the middle and push my own code
> (to my own environment) rather than the actual update code from
> www.eff.org. This was possible because it made an update request here:
> 
> https://www.eff.org/files/https-everywhere-update.rdf
> 
> It was then possible to modify the code location and signature:
> 
> <RDF:Description RDF:about="rdf:#$ybGCJ1"
> NS1:id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}" NS1:minVersion="3.5"
> NS1:maxVersion="4.*"
> NS1:updateLink="https://www.eff.org/files/https-everywhere-0.9.6.xpi"
> NS1:updateHash="sha1:31f800d2b1d15e994cdea0fbf0fdd72cf50c03b5"/>
> 
> This was possible because www.eff.org <http://www.eff.org> is STILL
> USING the non secure SSLv2 protocol:
> 
> https://www.eff.org/files/https-everywhere-update.rdf
> 
> PLEASE! Remove SSLv2 support & get this fixed ASAP!
> 
> Thanks,
> 
> Jerry Decime
> 
> Senior Security Strategist
> 
> Hewlett-Packard
> 
> *From:* Rebecca Reagan [mailto:rsreagan at eff.org]
> *Sent:* Tuesday, November 16, 2010 5:30 PM
> *To:* Decime, Jerry (IT Security)
> *Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
> 
> Dear Jerry,
> 
> Thank you for sending us follow up information. Our technologists are
> aware of the methods you're describing and are considering various ways
> to address the problems.
> 
> Again, thank you,
> 
> Rebecca S. Reagan
> 
> 
> On 11/16/10 3:35 PM, Decime, Jerry (IT Security) wrote:
> 
> Release version 0.2.2. Also note that I’ve found that third-parties to
> Facebook sometime fail to protect Facebook OAuth credentials with HTTPS
> so the picture starts to look a bit bleak when it comes to locking down
> the entire Facebook experience. Unfortunately it really does come down
> to architecting applications correctly to begin with.
> 
> BTW, it’s really easy to test this plug-in by simply having all HTTP
> traffic traverse The Fiddler2 & then watch and inspect any HTTP traffic
> you might see. Optionally, you can also write a Fiddler2 rule to alert
> you if it finds a pre-defined chunk of text. This is helpful for
> automatically finding matches on session info and OAuth tokens.
> 
> Let me know if you need additional information or help.
> 
> Thanks,
> 
> Jerry Decime
> Senior Security Strategist
> 
> Hewlett-Packard
> 
> *From:* Rebecca Reagan [mailto:rsreagan at eff.org]
> *Sent:* Tuesday, November 16, 2010 4:29 PM
> *To:* Decime, Jerry (IT Security)
> *Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
> 
> Dear Jerry,
> 
> Thank you for contacting the Electronic Frontier Foundation (EFF) with
> your concerns. Do you know if you are using the release version of the
> software, or the more aggressive development version? That would be
> helpful information for us. We are working to close the gaps and
> appreciate information of this nature.
> 
> Should you be interested in more information on HTTPS Everywhere, please
> see the FAQ at http://www.eff.org/https-everywhere/faq or consider
> joining the HTTPS Everywhere mailing list
> https://falcon.eff.org/mailman/listinfo/https-everywhere.
> 
> Again, thank you for your conscientious work and for sharing the
> information with us.
> 
> Yours,
> 
> Rebecca S. Reagan
> Intake Coordinator
> 
> On 11/16/10 12:43 PM, Decime, Jerry (IT Security) wrote:
> 
> Attached is an HTTP capture using “The Fiddler2” which shows that your
> HTTPS Everywhere plug-in for Firefox clearly does not guard against the
> capture of session keys on Facebook since it doesn’t enforce HTTPS for
> all sub domains containing sensitive session information. In the capture
> file please reference requests for:
> 
> _http://apps.facebook.com_
> 
> _http://static.ak.connect.facebook.com _
> 
> _http://pixel.facebook.com _
> 
> I confirmed that the cookies available via these sub domains include
> Facebook session information which could be used to authenticate a
> session as the user:
> 
>  From www.facebook.com <http://www.facebook.com> which is over HTTPS and
> protected -> Cookie:
> datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
> lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
> sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
> 
>  From apps.facebook.com which is over HTTP and not protected & confirms
> the possibility of session hijack -> Cookie:
> datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
> lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
> sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
> 
> I downloaded the plug-in today, just before testing & installed it in a
> browser which has never had the plug-in installed (using Firefox
> 3.6.12). It enforces HTTPS elsewhere on Facebook, but not all sub
> domains as shown in the attached capture.
> 
> Thanks,
> 
> Jerry Decime
> 
> Senior Security Strategist
> 
> Hewlett-Packard
> 
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere

-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list