Opened 8 months ago

Closed 8 months ago

#30335 closed defect (wontfix)

HTTPS-Everywhere handshake check flaw

Reported by: bo0od Owned by: legind
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When someone visit website , and that website configured TLS to be useless and vulnerable to MITM (not checking if there is "Protocol Support" and "Cipher Strength") then this is real flaw of HTTPS-Everywhere to pass this as secure connection.

E.g to make this very clear:

https://www.ssllabs.com/ssltest/analyze.html?d=zu.ac.ae

This is an F website and allows MITM due to insecure renegotiation. But when you visit the website while HTTPS-Everwhere enabled it will not read it as insecure connection or even showing yellow sign that the connection is not encrypted (by the lock browser).

So whether this HTTPS-Everywhere flaw or TBB , something is wrong here.

Child Tickets

Change History (1)

comment:1 Changed 8 months ago by gk

Resolution: wontfix
Status: newclosed

Seems the HTTPS Everywhere folks don't think this is a thing they can fix: https://github.com/EFForg/https-everywhere/issues/17851#event-2309447045

Note: See TracTickets for help on using tickets.