Opened 3 years ago

Closed 22 months ago

#16534 closed defect (fixed)

Failed to remove debugging options in Firefox

Reported by: ioerror Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


It is possible to set an environment variable, SSLKEYLOGFILE, that when set will export the CLIENT_RANDOM of Firefox's SSL/TLS handshakes to a file. This can include a Windows file share url - meaning that the CLIENT_RANDOM data would then be streamed to the remote server. Furthermore, I think this means that a better attacker can attach to firefox and simply use these functions to extract keying information.

I propose that we disable this functionality and also that we remove the code that makes this possible - or even better - we hook it and panic if someone tries to use it.

Relevant Mozilla bug:
Relevant Google discussion:!topic/

I have tested this against Tor Browser by running this command:
SSLKEYLOGFILE=/tmp/tb-keys.log ./start-tor-browser.desktop

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by ioerror

I would be unsurprised if it was possible to use /dev/tcp as it is possible to use
windowsfileshareserver\filename for exfiltration of keying material.

comment:2 Changed 3 years ago by ioerror

I should add that this issue was mentioned this to me by an anonymous reporter - thanks for the tip!

comment:3 Changed 3 years ago by mikeperry

Keywords: tbb-security added; security removed

comment:4 Changed 3 years ago by gk

Cc: gk added

comment:5 Changed 22 months ago by gk

Resolution: fixed
Severity: Normal
Status: newclosed

Fixed by #18885.

Note: See TracTickets for help on using tickets.