The Meltdown of the Web.
Giacomo Tesio Sep 3 Updated on Sep 13, 2018
A programmer that has learned how to program from a weird group of people whose core value is curiosity: the hackers.
So when I see a security hole affecting in various ways billions of people, I behave like a programmer. I try to fix it... or get it fixed. As soon as possible.
So a mounth ago, I wrote an article explaining how the Web is still a DARPA weapon (that sometimes backfire, as the Russiagate shows).
There I describe two dangerous flawns of the Internet and the Web.
Thus I spent two hours to write a detailed bug report, but it was soon closed (without saying if the Firefox users are vulnerable to such attacks or not), because
Bugzilla is not a discussion forum.
On the suggested Lobste.rs thread (cached here), I asked if Firefox users are vulnerable to such wide class of attacks (several times) without getting a response.
Still, no response to such a simple question. Are Firefox users vulnerable?
When I reported the same issue to Chromium team, it was closed in less than ten minutes with the same tone:
Filing a bug here isn't the way to change web standards no matter how you feel about them.
It worth noticing here that both Mozilla and Google are WHATWG members and they write the Living Standards that we are talking about. Living Standards that basically follow the implementations.
To my money, this means that you have to fix the implementations to fix the standard... but remember, I'm just a programmer!
this is the Web functioning as designed
I want you to see what the Web is designed for.
PoC of one of the many possible exploits (bypassing corporate firewalls)
Please add a temporary line to your C:\Windows\System32\drivers\etc\hosts containing
This mimic the control of a DNS from the attacker.
Then try this simple JSFiddle with a WHATWG browser.
You can change the port number at line 21 to test for any port on your PC.
You can change the IP in /etc/host to probe other machines on your LAN.
JSFiddle (the fictional attacker) has just bypassed your corporate firewall/proxy.
Everything is broken.
This is just one of the uncountably many attacks you can do this way.
I could go on hours inventing more attacks. And you should be able too.
As explained in the bug report, you can target a specific person or group.
Even over a CDN (thus through a third party site that the victim trusts).
And then you can reload an harmless script from the same url, rewriting the cache copy and removing all evidences of the attack.
It's really just a matter of compentence and fantasy.
How can we fix it?
As I explained in the bug report, the technical solution is basically to
- make users opt-in to program executions on a per-website basis
- threat such programs as potentially dangerous
You can read a simple recap with details here.
However, what you can see here is how deeply the Web is broken.
This is about people.