[tor-bugs] #5477 [EFF-HTTPS Everywhere]: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue May 8 21:35:42 UTC 2012
#5477: Surprising DOM origins before HTTPS-E/NoScript redirects have completed
-------------------------------------+--------------------------------------
Reporter: Drugoy | Owner: ma1
Type: defect | Status: reopened
Priority: blocker | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Resolution: | Keywords: MikePerry201204
Parent: | Points: 7
Actualpoints: 7 |
-------------------------------------+--------------------------------------
Comment(by pde):
Mike, what I observe is the same as what you observe, and I believe the
vulnerability, if there is one, is state number 2.
On its face that does not look easily exploitable, but I think there are
at least theoretical grounds for concern. For example, an active network
attacker could induce state 2 and then drop a whole lot of packets or slow
them down to an absolute trickle. That might cause state 2 to persist for
30 seconds or longer, perhaps enough to trick a user into completing a
password dialog.
--
Ticket URL: <https://trac.torproject.org:443/projects/tor/ticket/5477#comment:34>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list