You can find a quick & dirty PoC here (very quick, it took a few minutes to write) It shows how to discover the TCP ports open on your PC despite it being behind a firewall and a proxy. It was rapidly tested on a few networks (professionally configured by senior sysadmins) and it worked fine, but it doesn't work everywhere.
Rain1 have built a nicer exploit that leaks your private network topology here.
With a similar timing attack against the cache, you can discover if a user visited a certain 3rd party page, deducing his sexual tastes or his political orientation despite CORS, sandboxing and all other stuffs that Mozilla set up to "protect users' privacy".
The problem is that the number of exploits is potentially unbounded, it would take too much time to write them all. But if you know a little about web development, it's pretty funny to invent new ones! Just please, add them to the bug report for future reference.
And remember: the web site or CDN can serve to a single person these malicious JS and then override them thanks to Cache Control, leaving no evidence of the attack.
Ok, it seems that we have different understanding about the terms attack and exploit.
First PoC: Updating my /etc/hosts to allow bad script doing bad things? Nope.
Second PoC: Just did not get it working.
Yes, there were a lot several cases in the past. Get the link-color of visited links in css, using css3 transparency to get your facebook-profile name ... just to name a few.
All of them were handled as serious bugs and get fixed fast.
So, if you have a bug and you can demonstrate it, nice. If you want to discuss things, then I think here is the right place I guess.
After writing this: I still have a different opinion on this topic and think it's wrong to blame Mozilla. They proved in the past often times, that they value privacy and security.
I hope Mozilla know them. Actually I hope Mozilla developers can deduce at least all the attacks I can conceive from the description I wrote in the bug report.
Second PoC: Just did not get it working.
The fact that it does not work on your specific machine/network doesn't mean much.
It's a proof-of-concept. It works. Tweak it a little.
Rain1 even explained carefully how it works.
After writing this: I still have a different opinion on this topic and think it's wrong to blame Mozilla. They proved in the past often times, that they value privacy and security.
Exactly this vulnerability is why we try to get Freenet users to use Freenet as proxy with random local IP (127.x.y.z) and PORT.
That way an attacker needs roughly 200 billion requests on average to find the local service (using only 5001..32000 as ports, because they are sure not to be ephemeral).
Can you provide a proof-of-concept? I read the linked articles but I'm unable to follow your logic.
You can find a quick & dirty PoC here
(very quick, it took a few minutes to write)
It shows how to discover the TCP ports open on your PC despite it being behind a firewall and a proxy. It was rapidly tested on a few networks (professionally configured by senior sysadmins) and it worked fine, but it doesn't work everywhere.
Rain1 have built a nicer exploit that leaks your private network topology here.
With a similar timing attack against the cache, you can discover if a user visited a certain 3rd party page, deducing his sexual tastes or his political orientation despite CORS, sandboxing and all other stuffs that Mozilla set up to "protect users' privacy".
The problem is that the number of exploits is potentially unbounded, it would take too much time to write them all. But if you know a little about web development, it's pretty funny to invent new ones!
Just please, add them to the bug report for future reference.
And remember: the web site or CDN can serve to a single person these malicious JS and then override them thanks to Cache Control, leaving no evidence of the attack.
The best security door cannot protect an house without walls.
Ok, it seems that we have different understanding about the terms attack and exploit.
First PoC: Updating my /etc/hosts to allow bad script doing bad things? Nope.
Second PoC: Just did not get it working.
Yes, there were a lot several cases in the past. Get the link-color of visited links in css, using css3 transparency to get your facebook-profile name ... just to name a few.
All of them were handled as serious bugs and get fixed fast.
So, if you have a bug and you can demonstrate it, nice. If you want to discuss things, then I think here is the right place I guess.
After writing this: I still have a different opinion on this topic and think it's wrong to blame Mozilla. They proved in the past often times, that they value privacy and security.
Yes we have very different understanding of network security.
Do you know what DNS rebinding is?
I hope Mozilla know them.
Actually I hope Mozilla developers can deduce at least all the attacks I can conceive from the description I wrote in the bug report.
The fact that it does not work on your specific machine/network doesn't mean much.
It's a proof-of-concept. It works. Tweak it a little.
Rain1 even explained carefully how it works.
As I wrote in the thread suggested by Mozilla to discuss the issue (now censored on Lobste.rs) I used to trust them too.
But I do not trust them anymore. That's just empty marketing.
To prove me wrong, to prove they deserve the trust of their users, there's just one thing they have to do: tell everybody the answer to this question:
People deserve the same answer from Google, Microsoft and Apple, but at least they do not blether that they care about users' privacy.
Exactly this vulnerability is why we try to get Freenet users to use Freenet as proxy with random local IP (127.x.y.z) and PORT.
That way an attacker needs roughly 200 billion requests on average to find the local service (using only 5001..32000 as ports, because they are sure not to be ephemeral).
See d6.gnutella2.info/freenet/USK@sUm3...