[tor-bugs] #30335 [HTTPS Everywhere/EFF-HTTPS Everywhere]: HTTPS-Everywhere handshake check flaw
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 30 03:21:45 UTC 2019
#30335: HTTPS-Everywhere handshake check flaw
-------------------------+-------------------------------------------------
Reporter: bo0od | Owner: legind
Type: defect | Status: new
Priority: High | Component: HTTPS Everywhere/EFF-HTTPS
| Everywhere
Version: | Severity: Major
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------+-------------------------------------------------
When someone visit website , and that website configured TLS to be useless
and vulnerable to MITM (not checking if there is "Protocol Support" and
"Cipher Strength") then this is real flaw of HTTPS-Everywhere to pass this
as secure connection.
E.g to make this very clear:
https://www.ssllabs.com/ssltest/analyze.html?d=zu.ac.ae
This is an F website and allows MITM due to insecure renegotiation. But
when you visit the website while HTTPS-Everwhere enabled it will not read
it as insecure connection or even showing yellow sign that the connection
is not encrypted (by the lock browser).
So whether this HTTPS-Everywhere flaw or TBB , something is wrong here.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30335>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list