lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <AANLkTinuk8GLXY4o69I9VXCqT-W54J4UXQR0GRgkP0Fc@mail.gmail.com>
Date: Tue, 29 Jun 2010 02:18:41 +0200
From: Dan Kaminsky <dan@...para.com>
To: Chris Evans <scarybeasts@...il.com>
Cc: Lavakumar Kuppan <lava@...labs.org>, full-disclosure@...ts.grok.org.uk
Subject: Re: Chrome and Safari users open to stealth HTML5
	Application Cache attack

On Tue, Jun 29, 2010 at 12:41 AM, Chris Evans <scarybeasts@...il.com> wrote:

> On Mon, Jun 28, 2010 at 1:30 PM, Dan Kaminsky <dan@...para.com> wrote:
> >
> >> In summary, any http hit on an insecure network is dangerous on all
> >> browsers.
> >> (FWIW, Chromium resolves this for me. When I type mail<enter> into the
> >> omnibar, it auto-completes to https://mail.google.com/)
> >>
> >
> > Actually, I see this as a legitimate gap.  HTTP links don't cache-mix
> with
> > HTTPS links, and cookies can have server-side integrity checking to
> prevent
> > HTTP pollution (lets not talk about the secure tag for cookies), but if
> it
> > is indeed the case that there is no way to have a HTTPS-exclusive
> > Application Cache, then that is a feature killing bug that's been
> > legitimately called out.
>
> Eh? Lava's attack poisons a plain HTTP resource. As per "regular"
> caching, Application Cache is supposed to separate the effects of HTTP
> and HTTPS responses.
>

==
On unsecured networks, attackers could stealthily
create malicious Application Caches in the browser of victims for even HTTPS
sites.
It has always been possible to poison the browser cache and compromise the
victim's account for HTTP based sites.
With HTML5 Application Cache, it is possible to poison the cache of even
HTTPS sites.
==

Is it agreed that if the above is true -- meaning, separation doesn't
actually exist -- then there's a bug?





>
>
> Cheers
> Chris
>
> >
> > --Dan
> >
> >
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ