Opened 3 months ago

Last modified 3 months ago

#30343 new defect

TBB Gives HTTPS Green Lock for misconfigured SSL/TLS

Reported by: bo0od Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I have just reported a flaw with passing a misconfigured ssl/tls certificate which is allowing MITM. I reported that against https-everywhere but they answered it that https-everywhere doesnt access ssl info. So maybe it is a browser level issue?

otherwise really what is the use of green lock and https-everywhere plugin if a website pretend to be having ssl/tls connection while in fact its just fake one and MITM is possible through it ?

SSL test:

https://www.ssllabs.com/ssltest/analyze.html?d=zu.ac.ae

HTTPS-Everywhere Github Ticket:

https://github.com/EFForg/https-everywhere/issues/17851#event-2309447045

Child Tickets

Change History (2)

comment:1 Changed 3 months ago by gk

Parent ID: #30335

comment:2 Changed 3 months ago by gk

Sounds like an upstream issue. Could you file a bug at Mozilla's bugzilla as I assume Firefox is affected here as well? (Please add the ticket number here for reference)

Note: See TracTickets for help on using tickets.