Full Disclosure mailing list archives
Re: Chrome and Safari users open to stealth HTML5 Application Cache attack
From: Dan Kaminsky <dan () doxpara com>
Date: Tue, 29 Jun 2010 02:18:41 +0200
On Tue, Jun 29, 2010 at 12:41 AM, Chris Evans <scarybeasts () gmail com> wrote:
On Mon, Jun 28, 2010 at 1:30 PM, Dan Kaminsky <dan () doxpara com> wrote:In summary, any http hit on an insecure network is dangerous on all browsers. (FWIW, Chromium resolves this for me. When I type mail<enter> into the omnibar, it auto-completes to https://mail.google.com/)Actually, I see this as a legitimate gap. HTTP links don't cache-mixwithHTTPS links, and cookies can have server-side integrity checking topreventHTTP pollution (lets not talk about the secure tag for cookies), but ifitis indeed the case that there is no way to have a HTTPS-exclusive Application Cache, then that is a feature killing bug that's been legitimately called out.Eh? Lava's attack poisons a plain HTTP resource. As per "regular" caching, Application Cache is supposed to separate the effects of HTTP and HTTPS responses.
== On unsecured networks, attackers could stealthily create malicious Application Caches in the browser of victims for even HTTPS sites. It has always been possible to poison the browser cache and compromise the victim's account for HTTP based sites. With HTML5 Application Cache, it is possible to poison the cache of even HTTPS sites. == Is it agreed that if the above is true -- meaning, separation doesn't actually exist -- then there's a bug?
Cheers Chris--Dan
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Chrome and Safari users open to stealth HTML5 Application Cache attack Lavakumar Kuppan (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Chris Evans (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Dan Kaminsky (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Chris Evans (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Dan Kaminsky (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Michal Zalewski (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Lavakumar Kuppan (Jun 29)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Dan Kaminsky (Jun 28)
- Re: Chrome and Safari users open to stealth HTML5 Application Cache attack Chris Evans (Jun 28)