After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 639764 - MITM attacker can intercept background SSL connections without warning
MITM attacker can intercept background SSL connections without warning
Status: RESOLVED FIXED
Product: epiphany
Classification: Core
Component: Passwords, Cookies, & Certificates
3.12.x (obsolete)
Other All
: Immediate critical
: ---
Assigned To: Epiphany Maintainers
Epiphany Maintainers
Depends on: 708847
Blocks: 721283
 
 
Reported: 2011-01-17 17:14 UTC by Matt McCutchen
Modified: 2014-08-08 14:44 UTC
See Also:
GNOME target: ---
GNOME version: 3.1/3.2



Description Matt McCutchen 2011-01-17 17:14:10 UTC
Epiphany is willing to connect to an SSL server regardless of the certificate.  The lock in the URL bar indicates whether the main HTML page was received via a connection with a good certificate.  This is argued to be insufficient warning (bug 542454).  But quite apart from that, the certificate status of connections other than the one used to retrieve the main HTML page is not indicated at all.  A MITM attacker can intercept these "background" connections and respond with malicious data while the lock in the URL bar remains unbroken.

In my testing, when Epiphany loads a page with multiple embedded items, it opens one or more background connections in addition to the main connection and retrieves the items in parallel across all the connections.  Thus, Epiphany's SSL implementation provides no security against a MITM attacker on a modern web site with multiple <script src> tags, such as this bug tracker, since the attacker can substitute arbitrary script that will run in the site's security origin.

For steps to reproduce, see https://bugzilla.redhat.com/show_bug.cgi?id=643224 .
Comment 1 Jeremy Nickurak 2011-10-17 16:30:46 UTC
Priority: immediate; "is a security issue in a released version of the software."
Comment 2 Michael Catanzaro 2014-07-10 23:30:35 UTC
Thanks for the simple test case. This is fixed by attachment #280439 [details] in bug #708847 (though the commit message does not indicate this) which causes background connections that fail to be silently dropped. (I've verified that this is the same behavior as Firefox, so I think that's sufficient.)
Comment 3 Michael Catanzaro 2014-08-08 14:44:41 UTC
Matt, sorry this serious bug went unresolved for so long. It should be fixed in our upcoming 3.14 release.