Disable 3rd party HTTP auth
Georg Koppen believes there is a way to isolate HTTP auth to the urlbar domain by registering http observers and hashing+filtering the auth headers.
I need to keep an eye on his work, and fold it in if possible.
Activity
changed milestone to %TorBrowserBundle 2.2.x-stable
Trac:
Cc: N/A to g.koppen@jondos.de-
Georg - I noticed you strip off the WWW-Authenticate header from 3rd party responses. Does that serve any security purpose, or does it exist just to prevent 3rd parties from being able to open auth prompts?
I am thinking that we might want the auth prompts to show up. They would be evidence of a tracking attack using this mechanism. If the adversary doesn't get the Authenticate header they want and then sets WWW-Authenticate, the browser would effectively be alerting the user that the site is trying to track them.
It might also help users diagnose issues in the event that this feature breaks some other site that requires 3rd party auth.
What do you think?
Georg - I noticed you strip off the WWW-Authenticate header from 3rd party responses. Does that serve any security purpose, or does it exist just to prevent 3rd parties from being able to open auth prompts? I does serve a security purpose. If one would not do this 3rd party sites would be able to track users without notice, i.e. without creating an auth prompt at all, until one isolates HTTP auth to the urlbar. The status quo is by far not perfect but was the only solution I was capable of implementing within a short timeframe. I am thinking that we might want the auth prompts to show up. They would be evidence of a tracking attack using this mechanism. If the adversary doesn't get the Authenticate header they want and then sets WWW-Authenticate, the browser would effectively be alerting the user that the site is trying to track them. We were pondering that question and, yes, it is quite appealing to show the auth prompts. And basically you get that feature for free already if you do not strip off the 3rd party response headers but the 3rd party request headers (meaning: "Authorization: ..."). The thing is getting e.g. a 401 back from the server while there are already proper authentication tokens in the cache makes Firefox "think" that there might something wrong here and an auth prompt shows up. The big problem is to explain to the normal user what is going on. If they just surf the web and suddenly get an auth prompt I bet almost nobody knows what to do here. One solution that comes to my mind would be to somehow hook int these dialogs and show e.g. a red warning text. While hooking into dialogs is not a problem I fear that it is hard to get just those we want. It might also help users diagnose issues in the event that this feature breaks some other site that requires 3rd party auth. While I cannot imagine that one really needs this kind of authentication I can imagine that some people have already implemented it. And therefore, yes, that may help debugging as well. Hence, if we solve the above problem with transporting the issue to John Doe iff there is a 3rd party tracking risk than I am in favor of getting an auth prompt at any rate.
-
Replying to gk:
I am thinking that we might want the auth prompts to show up. They would be evidence of a tracking attack using this mechanism. If the adversary doesn't get the Authenticate header they want and then sets WWW-Authenticate, the browser would effectively be alerting the user that the site is trying to track them. We were pondering that question and, yes, it is quite appealing to show the auth prompts. And basically you get that feature for free already if you do not strip off the 3rd party response headers but the 3rd party request headers (meaning: "Authorization: ..."). The thing is getting e.g. a 401 back from the server while there are already proper authentication tokens in the cache makes Firefox "think" that there might something wrong here and an auth prompt shows up. The big problem is to explain to the normal user what is going on. If they just surf the web and suddenly get an auth prompt I bet almost nobody knows what to do here. One solution that comes to my mind would be to somehow hook int these dialogs and show e.g. a red warning text. While hooking into dialogs is not a problem I fear that it is hard to get just those we want.
I think we're going to leave WWW-Authenticate in, then. I think some notification at this point is better than no notification. At least this way, we have a shot at a smart user catching a malicious exit node that is attempting to track users with this attack.
I will open another ticket for fixing the dialog, and/or hooking it.
I also saw in your comment that you believe the API may fail in some cases? If you would like to gpg mail me example test URLs, I can work on finding the points in the Firefox source causing the failures and patching them.
I am also renaming this ticket to reflect the solution. I think simply disabling 3rd party auth seems like a fine option until we get complaints. Very few sites use auth, and I bet everyone who still does uses it first party. Unless you disagree?
Trac:
Summary: Isolate HTTP Auth to top-level domain to Disable 3rd party auth
Keywords: N/A deleted, MikePerryIterationFires20110828 added -
Ok, I committed the fix for this. It is the same as the JonDos fix, except that we do not strip WWW-Authenticate.
Georg, feel free to continue to comment on this ticket and/or email me. I am just closing it because I intend for future work to be done in other tickets.
Trac:
Resolution: N/A to fixed
Actualpoints: N/A to 2
Status: new to closed
Points: N/A to 2 mentioned in issue #3837 (moved)
mentioned in issue #3907 (closed)
mentioned in issue tpo/applications/tor-browser#3837 (closed)