[tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Dec 9 17:16:00 UTC 2010


#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
 Reporter:  dkg                   |       Owner:  pde     
     Type:  defect                |      Status:  accepted
 Priority:  major                 |   Milestone:          
Component:  EFF-HTTPS Everywhere  |     Version:          
 Keywords:                        |      Parent:          
----------------------------------+-----------------------------------------
Changes (by pde):

  * priority:  normal => major


Comment:

 So what can we do about this.  Here are some ideas:

 1. Ask mozilla to raise the warning prompt for images and other subsidiary
 requests.

 2. Take the replace [^/:@] with [^/].  I think that defeats dkg's attack.
 Ironically it would leave all the rules that DON'T start with a pattern
 vulnerable.  We would need to add a pattern to the front of every (www\.)?
 rule to catch a username/password :(.

 3. Use Mozilla's built in URI parsing to strip out username/password
 fields before we do URI rewriting (then add them back in, if we think
 they're ever legit?).

 4. Per rransom's suggestion, move to something like agl's proposed
 chromium syntax.  https://mail1.eff.org/pipermail/https-
 everywhere/2010-November/000545.html.  There are several downsides to
 that.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list