[Tor2web-talk] Serious bug in Tor2web software
Fabio Pietrosanti - lists
lists at infosecurity.ch
Thu Nov 13 11:33:11 CET 2014
On 11/13/14 9:16 AM, Giovanni Pellerano wrote:
> so we have to take a decision and all are not correct and contains
> problems as for what they fix they open other bugs:
> 1) instead of opening automatically a socksv5 to 80, portknock the
> 443, if it works open the 443 and use it; (and we can cache this to
> continue to use the 443, but what if an hidden service opens 80 and
> 443 for differnt reasons? wi will end always serving the 443
> 2) automatically try to follow the redirect Location:
> https://facebook.onion in a transparent way for the user. also this
> opens to possibility for tor2web to be forced to reload reload reload
> funny stuff attacking it (that will need to managed with a funny
> cylcle counter)
But Facebook is issuing an HTTP 302 redirect to https://facebook.onion,
and "https://" is mapped by RFC to port 443.
So:
HTTP = 80
HTTPS = 443
The fix should:
- Follow HTTP 302 redirect
- Support "TLS/SSL" client to handle "https"
The policy i would suggest considering is:
- Follow HTTP 302 redirect only if goes on .onion domain
- Do not validate any TLS certificate
Fabio
More information about the Tor2web-talk
mailing list