Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#3748 closed defect (fixed)

Disable 3rd party HTTP auth

Reported by: mikeperry Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.2.x-stable
Component: TorBrowserButton Version:
Severity: Keywords: MikePerryIterationFires20110828
Cc: g.koppen@… Actual Points: 2
Parent ID: Points: 2
Reviewer: Sponsor:

Description

Georg Koppen believes there is a way to isolate HTTP auth to the urlbar domain by registering http observers and hashing+filtering the auth headers.

I need to keep an eye on his work, and fold it in if possible.

Child Tickets

Change History (6)

comment:1 Changed 8 years ago by mikeperry

Cc: g.koppen@… added

comment:2 Changed 8 years ago by mikeperry

Georg - I noticed you strip off the WWW-Authenticate header from 3rd party responses. Does that serve any security purpose, or does it exist just to prevent 3rd parties from being able to open auth prompts?

I am thinking that we might want the auth prompts to show up. They would be evidence of a tracking attack using this mechanism. If the adversary doesn't get the Authenticate header they want and then sets WWW-Authenticate, the browser would effectively be alerting the user that the site is trying to track them.

It might also help users diagnose issues in the event that this feature breaks some other site that requires 3rd party auth.

What do you think?

comment:3 in reply to:  2 ; Changed 8 years ago by gk

Georg - I noticed you strip off the WWW-Authenticate header from 3rd party responses. Does that serve any security purpose, or does it exist just to prevent 3rd parties from being able to open auth prompts?

I does serve a security purpose. If one would not do this 3rd party sites would be able to track users without notice, i.e. without creating an auth prompt at all, until one isolates HTTP auth to the urlbar. The status quo is by far not perfect but was the only solution I was capable of implementing within a short timeframe.

I am thinking that we might want the auth prompts to show up. They would be evidence of a tracking attack using this mechanism. If the adversary doesn't get the Authenticate header they want and then sets WWW-Authenticate, the browser would effectively be alerting the user that the site is trying to track them.

We were pondering that question and, yes, it is quite appealing to show the auth prompts. And basically you get that feature for free already if you do not strip off the 3rd party response headers but the 3rd party request headers (meaning: "Authorization: ..."). The thing is getting e.g. a 401 back from the server while there are already proper authentication tokens in the cache makes Firefox "think" that there might something wrong here and an auth prompt shows up. The big problem is to explain to the normal user what is going on. If they just surf the web and suddenly get an auth prompt I bet almost nobody knows what to do here. One solution that comes to my mind would be to somehow hook int these dialogs and show e.g. a red warning text. While hooking into dialogs is not a problem I fear that it is hard to get just those we want.

It might also help users diagnose issues in the event that this feature breaks some other site that requires 3rd party auth.

While I cannot imagine that one really needs this kind of authentication I can imagine that some people have already implemented it. And therefore, yes, that may help debugging as well. Hence, if we solve the above problem with transporting the issue to John Doe iff there is a 3rd party tracking risk than I am in favor of getting an auth prompt at any rate.

comment:4 in reply to:  3 Changed 8 years ago by mikeperry

Keywords: MikePerryIterationFires20110828 added
Summary: Isolate HTTP Auth to top-level domainDisable 3rd party auth

Replying to gk:

I am thinking that we might want the auth prompts to show up. They would be evidence of a tracking attack using this mechanism. If the adversary doesn't get the Authenticate header they want and then sets WWW-Authenticate, the browser would effectively be alerting the user that the site is trying to track them.

We were pondering that question and, yes, it is quite appealing to show the auth prompts. And basically you get that feature for free already if you do not strip off the 3rd party response headers but the 3rd party request headers (meaning: "Authorization: ..."). The thing is getting e.g. a 401 back from the server while there are already proper authentication tokens in the cache makes Firefox "think" that there might something wrong here and an auth prompt shows up. The big problem is to explain to the normal user what is going on. If they just surf the web and suddenly get an auth prompt I bet almost nobody knows what to do here. One solution that comes to my mind would be to somehow hook int these dialogs and show e.g. a red warning text. While hooking into dialogs is not a problem I fear that it is hard to get just those we want.

I think we're going to leave WWW-Authenticate in, then. I think some notification at this point is better than no notification. At least this way, we have a shot at a smart user catching a malicious exit node that is attempting to track users with this attack.

I will open another ticket for fixing the dialog, and/or hooking it.

I also saw in your comment that you believe the API may fail in some cases? If you would like to gpg mail me example test URLs, I can work on finding the points in the Firefox source causing the failures and patching them.

I am also renaming this ticket to reflect the solution. I think simply disabling 3rd party auth seems like a fine option until we get complaints. Very few sites use auth, and I bet everyone who still does uses it first party. Unless you disagree?

comment:5 Changed 8 years ago by mikeperry

Actual Points: 2
Points: 2
Resolution: fixed
Status: newclosed

Ok, I committed the fix for this. It is the same as the JonDos fix, except that we do not strip WWW-Authenticate.

Georg, feel free to continue to comment on this ticket and/or email me. I am just closing it because I intend for future work to be done in other tickets.

comment:6 Changed 8 years ago by mikeperry

Summary: Disable 3rd party authDisable 3rd party HTTP auth
Note: See TracTickets for help on using tickets.