[tor-bugs] #3748 [TorBrowserButton]: Disable 3rd party auth (was: Isolate HTTP Auth to top-level domain)

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Aug 27 22:13:12 UTC 2011

#3748: Disable 3rd party auth
 Reporter:  mikeperry                        |          Owner:  mikeperry                    
     Type:  defect                           |         Status:  new                          
 Priority:  major                            |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  TorBrowserButton                 |        Version:                               
 Keywords:  MikePerryIterationFires20110828  |         Parent:                               
   Points:                                   |   Actualpoints:                               
Changes (by mikeperry):

  * keywords:  => MikePerryIterationFires20110828


 Replying to [comment:3 gk]:
 > > I am thinking that we might want the auth prompts to show up. They
 would be evidence of a tracking attack using this mechanism. If the
 adversary doesn't get the Authenticate header they want and then sets WWW-
 Authenticate, the browser would effectively be alerting the user that the
 site is trying to track them.
 > We were pondering that question and, yes, it is quite appealing to show
 the auth prompts. And basically you get that feature for free already if
 you do not strip off the 3rd party response headers but the 3rd party
 request headers (meaning: "Authorization: ..."). The thing is getting e.g.
 a 401 back from the server while there are already proper authentication
 tokens in the cache makes Firefox "think" that there might something wrong
 here and an auth prompt shows up. The big problem is to explain to the
 normal user what is going on. If they just surf the web and suddenly get
 an auth prompt I bet almost nobody knows what to do here. One solution
 that comes to my mind would be to somehow hook int these dialogs and show
 e.g. a red warning text. While hooking into dialogs is not a problem I
 fear that it is hard to get just those we want.

 I think we're going to leave WWW-Authenticate in, then. I think some
 notification at this point is better than no notification. At least this
 way, we have a shot at a smart user catching a malicious exit node that is
 attempting to track users with this attack.

 I will open another ticket for fixing the dialog, and/or hooking it.

 I also saw in your comment that you believe the API may fail in some
 cases? If you would like to gpg mail me example test URLs, I can work on
 finding the points in the Firefox source causing the failures and patching

 I am also renaming this ticket to reflect the solution. I think simply
 disabling 3rd party auth seems like a fine option until we get complaints.
 Very few sites use auth, and I bet everyone who still does uses it first
 party. Unless you disagree?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3748#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list