lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b800e444-d3ba-d0a5-b8a2-04ffab01128f@ksamuel.de>
Date: Wed, 23 Aug 2023 22:47:50 +0200
From: Konstantin <fulldisclosure@...n.de>
To: fulldisclosure@...lists.org
Subject: [FD] Mozilla Firefox only stores up to 1024 HSTS entries

# VULNERABILITY
Mozilla Firefox only stores up to 1024 HSTS entries.
When the limit is reached, Firefox discards entries based on their age 
and recent visits to the domain in question.

# IMPACT
The HSTS header ensures that once a page has been visited, the browser 
will attempt to connect to it using HTTPS.
The limit means that Firefox effectively does not store any further HSTS 
headers, as new ones permanently override each other.
Sites without HSTS protection are vulnerable to machine-in-the-middle 
attacks, especially downgrade attacks such as SSL Stripping.

# MORE
To find out if you are affected, check the number of HSTS entries:
* Linux: `wc -l ~/.mozilla/firefox/{profile}/SiteSecurityServiceState.txt`
* Windows: `find /c /v " " 
".\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}\SiteSecurityServiceState.txt"`

This behavior was first reported by Sheila Ayelen Berta and Sergio De 
Los Santos at Black Hat Europe 2017.
I filed a bug report in February 2023 that is currently being worked on.

# REFERENCES
* Bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1818984
* Mastodon thread: https://infosec.exchange/@kpwn/110010433703922665
* Blog post: 
https://kpwn.de/2023/03/http-strict-transport-security/#1-the-limited-number-of-hsts-entries
* Black Hat Europe 2017: Breaking Out HSTS (and HPKP) On Firefox, 
IE/Edge and (Possibly) Chrome
   * Slides: 
https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf
   * Talk: https://www.youtube.com/watch?v=dPnU9_pXJ5k
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ