lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAAeBhPfv200duAxCKnYkABgyt-34u_cP_YrrRajPWZ-Md+H9GA@mail.gmail.com>
Date: Sun, 14 Feb 2016 22:07:21 -0500
From: David Leo <httpsonly.github.io@...il.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com, 
 oss-security@...ts.openwall.com
Subject: [FD] Browser Security Tool: HTTPS Only (Why, How, Open Source,
	Python)

(@moderators The original post was too brief. This one has details.)

Summary

This tool completely locks browser - just HTTPS, nothing else. This
tool is extremely simple - less than 100 lines of code(Python and
JavaScript).

Why

Firefox Add-on Firesheep Brings Hacking to the Masses
http://www.pcworld.com/article/208727/Firesheep_Brings_Hacking_to_the_Masses.html
"Firesheep is basically a packet sniffer that can analyze all the
unencrypted Web traffic"
(Quite a while ago, it's become a "casual game")

Yes, Mozilla said, "Gradually phasing out access to browser features
for non-secure websites", in April 2015. After more than six months,
they have done nothing useful.

The Chrome team wanted the same stuff:
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
Again, nothing significant has been achieved yet.

And there is HTTPS Everywhere, with SO MANY rules:
https://www.eff.org/https-everywhere/atlas/
It's still able to access HTTP by default, but there is "Block all
HTTP requests". The problem: nothing happens when browser tries HTTP -
there should be warning(it's incorrect behavior) and options(try
HTTPS, Google Cache, etc). People complained, months ago:
https://github.com/EFForg/https-everywhere/issues/1329

How

PAC(Proxy auto-config) is used:
If it's HTTPS, that's fine.
If it's HTTP, user gets warning and options(try HTTPS, Google Cache -
it has HTTPS, etc).
Anything else, it goes to 0.0.0.0

It's a simple tool that does one job, and does it very well.

URLs

https://httpsonly.github.io/
https://github.com/httpsonly/httpsonly

Best Wishes,

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists