Security issues such as specific security problems or ideas for making the code as a whole more secure can be discussed here

Andrew Manore | 1 Jun 2009 21:07

Picon

S/MIME in Thunderbird

I'm not able to see what encryption algorithms Thunderbird 2.0.x is 
using. From what I've been able to tell (through downloading the 
encrypted message into Microsoft Outlook), Thunderbird is using 3DES 
encryption with SHA-1 hashes.

I'm wondering if there's any way to change the encryption to AES (any 
supported key length) and the hash to SHA-2. I'm also wondering if 
there's a way to verify the form of encryption used. There doesn't seem 
to be any option in the menus, nor any option in the advanced 
configuration editor.

Thanks!

-- Andrew Manore

Brandon Sterne | 23 Jun 2009 01:15

Content Security Policy - Relaxed Restrictions Mode(s)

Some sites have shared the desire to use some features of CSP, but not
all of them at once.  For example, a site may want to utilize the
content loading features of CSP to help prevent data exfiltration, but
they may not want to be subject to the JavaScript restrictions which are
enabled by default (no inline script, no eval, etc.).

We have made two additions to the spec that we think will address these
needs:

1. Sites can opt-out of "no inline scripts" by adding the "inline"
keyword to their script-src directive.
2. Sites can opt-out of "no code from strings" by adding the "eval"
keyword to their script-src directive.

These additions may enable some sites, who would otherwise be deterred
by the JS restrictions, to adopt CSP in a limited fashion early, and
later do a full implementation as resources permit.

Cheers,
Brandon

Serge van den Boom | 23 Jun 2009 15:13

Picon

XSRF via CSP policy-uri

Hi,

If I'm not mistaken, there is a hypothetical situation where CSP can be
used to the benefit of an attacker. Consider the scenario where:
* the website contains a stored header injection vulnerability,
* the website contains a XSRF vulnerability, and
* the web client supports CSP.

To exploit a XSRF vulnerability, an attacker needs some way to direct
the web client to the vulnerable URL. This usually requires a social
engineering attack or a XSS vulnerability. A (stored) header injection
vulnerability is generally not enough.

However, by injecting an X-Content-Security-Policy header with the
policy-uri set to the vulnerable URL, the web client can be tricked into
visiting the vulnerable URL.

In practice, this scenario will not often occur, as stored header
injections are rare. And when it does occur, often also easier to
execute attacks are conceivable. Still, there is a small risk.

A solution to this problem would be to require the policy document to
have a fixed location on the website, instead of allowing it to be
specified through a URI.

Regards,

Serge

Bil Corry | 23 Jun 2009 22:25

Re: XSRF via CSP policy-uri

Serge van den Boom wrote on 6/23/2009 8:13 AM: 
> However, by injecting an X-Content-Security-Policy header with the
> policy-uri set to the vulnerable URL, the web client can be tricked into
> visiting the vulnerable URL.

It would only work for those pages where a X-Content-Security-Policy header has not already been set --
additional X-Content-Security-Policy headers are ignored.  But beyond that, the proposed "Link"
header would provide the same attack surface, and can not be restricted to a known URI:

	http://www.ietf.org/internet-drafts/draft-nottingham-http-link-header-05.txt

Given that, I suggest keeping the CSP specification as-is.

- Bil

Serge van den Boom | 23 Jun 2009 22:48

Picon

Re: XSRF via CSP policy-uri

On 2009-06-23, Bil Corry <bil <at> corry.biz> wrote:
> Serge van den Boom wrote on 6/23/2009 8:13 AM: 
>> However, by injecting an X-Content-Security-Policy header with the
>> policy-uri set to the vulnerable URL, the web client can be tricked into
>> visiting the vulnerable URL.
>
> It would only work for those pages where a X-Content-Security-Policy
> header has not already been set -- additional
> X-Content-Security-Policy headers are ignored.

The injected header could be the first one though, with the genuine
header being ignored.

> But beyond that, the proposed "Link" header would provide the same
> attack surface, and can not be restricted to a known URI:

I was not familiar with that proposal, but skimming through it, it
appears that these links are not resolved automatically, making this
header less interesting for attackers. The same goes for the standard
"Content-Location" header.

Serge

Bil Corry | 23 Jun 2009 23:41

Re: XSRF via CSP policy-uri

Serge van den Boom wrote on 6/23/2009 3:48 PM: 
> On 2009-06-23, Bil Corry <bil <at> corry.biz> wrote:
>> Serge van den Boom wrote on 6/23/2009 8:13 AM: 
>>> However, by injecting an X-Content-Security-Policy header with the
>>> policy-uri set to the vulnerable URL, the web client can be tricked into
>>> visiting the vulnerable URL.
>> It would only work for those pages where a X-Content-Security-Policy
>> header has not already been set -- additional
>> X-Content-Security-Policy headers are ignored.
> 
> The injected header could be the first one though, with the genuine
> header being ignored.

True, but the attacker could simply split the header and issue a redirect to any page they desire and skip
trying to exploit CSP entirely.

>> But beyond that, the proposed "Link" header would provide the same
>> attack surface, and can not be restricted to a known URI:
> 
> I was not familiar with that proposal, but skimming through it, it
> appears that these links are not resolved automatically, making this
> header less interesting for attackers. The same goes for the standard
> "Content-Location" header.

Section 5 indicates it's "semantically equivalent to the <LINK> element in HTML" -- so presumably that
means the browser will retrieve a stylesheet specified by the header before rendering the page.

- Bil

Serge van den Boom | 24 Jun 2009 11:08

Picon

Re: XSRF via CSP policy-uri

On 2009-06-23, Bil Corry <bil <at> corry.biz> wrote:
> Serge van den Boom wrote on 6/23/2009 3:48 PM: 
>> On 2009-06-23, Bil Corry <bil <at> corry.biz> wrote:
>>> Serge van den Boom wrote on 6/23/2009 8:13 AM: 
>>>> However, by injecting an X-Content-Security-Policy header with the
>>>> policy-uri set to the vulnerable URL, the web client can be tricked
>>>> into visiting the vulnerable URL.
>>> It would only work for those pages where a X-Content-Security-Policy
>>> header has not already been set -- additional
>>> X-Content-Security-Policy headers are ignored.
>> 
>> The injected header could be the first one though, with the genuine
>> header being ignored.
>
> True, but the attacker could simply split the header and issue a
> redirect to any page they desire and skip trying to exploit CSP
> entirely.

If you are thinking of adding a Location header: that shouldn't have any
effect unless you have a 3xx status code, which you can't influence with
a header injection.
However, the attacker could end the header in their injection, and add a
body of their own -- this was in fact what I was thinking of when I
wrote "when it does occur, often also easier to execute attacks are
conceivable." in my original posting. But it is conceivable that the
header injection vulnerability only allows for the insertion of a small
number of characters. In this case, CSP does actually make an exploit
possible which wasn't otherwise realizable.

Though I agree that the likelihood of these circumstances occurring in

(Continue reading)

Brandon Sterne | 24 Jun 2009 19:31

Re: XSRF via CSP policy-uri

Serge van den Boom wrote:
> Hi,
> 
> If I'm not mistaken, there is a hypothetical situation where CSP can be
> used to the benefit of an attacker. Consider the scenario where:
> * the website contains a stored header injection vulnerability,
> * the website contains a XSRF vulnerability, and
> * the web client supports CSP.

So the premise is that the site already has a CSRF vuln and a header
injection vuln, and Content Security Policy provides a new way for an
attacker to forge a request from the victim to the target site.

> To exploit a XSRF vulnerability, an attacker needs some way to direct
> the web client to the vulnerable URL. This usually requires a social
> engineering attack or a XSS vulnerability. A (stored) header injection
> vulnerability is generally not enough.
> 
> However, by injecting an X-Content-Security-Policy header with the
> policy-uri set to the vulnerable URL, the web client can be tricked into
> visiting the vulnerable URL.

How did the attacker get the victim to visit the URL with the header
injection vuln in the first place?  If the attacker could get this far,
they could skip the CSP step altogether and have the victim go straight
to the CSRF URL.

Given the numerous ways to initiate a GET to a particular URL, I don't
believe CSP adds any significant new attack surface with the policy-uri
directive.  The attack scenario above also requires massive existing

(Continue reading)

Serge van den Boom | 24 Jun 2009 21:49

Picon

Re: XSRF via CSP policy-uri

On 2009-06-24, Brandon Sterne <bsterne <at> mozilla.com> wrote:
> So the premise is that the site already has a CSRF vuln and a header
> injection vuln, and Content Security Policy provides a new way for an
> attacker to forge a request from the victim to the target site.

Right.

> How did the attacker get the victim to visit the URL with the header
> injection vuln in the first place?  If the attacker could get this far,
> they could skip the CSP step altogether and have the victim go straight
> to the CSRF URL.

The victim doesn't have to visit the URL with the header injection
vulnerability, as I'm talking about a *stored* header injection
vulnerability.

An example:
A web application allows users to submit their own content. With new content,
the user may specify its language from a drop-down box.
When another user views the content, the language is sent along in the
Content-Language header.

Now the developers of the web appliction forgot to add code to check
server-side whether the specified language is valid.
The attacker manipulates the language field of the submission form,
and tries to use it to inject some dangerous URL. But as the
Content-Type header is already set to something harmless, there is no
point in manipulating the body.

But policy-uri to the rescue! The attacker sets the language to "en\n

(Continue reading)

Sid Stamm | 26 Jun 2009 18:44

Content Security Policy discussion (link)

Hi All,

Some discussion about CSP has recently popped up on the mozilla wiki:
https://wiki.mozilla.org/Talk:Security/CSP/Spec

I'm posting the link here in case anyone interested hasn't seen it yet. 
  Comments are welcomed (both here and there).

Cheers,
Sid

Group

gmane.comp.mozilla.security.

Search Archive

Page

1 | 2

Articles in period: 19

June 2009

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Get the finished message of TLS handshake (14 May 2013)
It's time to remove plugin support from Firefox mobile (13 May 2013)
Removal of "Revocation Lists" feature (Options -> Advanced -> Revocati (11 May 2013)
It's time to remove plugin support from Firefox mobile (10 May 2013)
Removal of "Revocation Lists" feature (Options -> Advanced -> Revocati (1 May 2013)
OCSP Stapling w/ Delegated Signers (27 Apr 2013)
Safebrowsing (22 Apr 2013)
Orangfuzz – an experimental user interaction fuzzer for Firefox OS (17 Apr 2013)
Firefox behavior with CDPs and AIAs (12 Apr 2013)
Firefox behavior with CDPs and AIAs (11 Apr 2013)
Warnings about non-default certs in Private Browsing Mode? (7 Apr 2013)
Building NSS failed on both Ubuntu 12.04 and Linux Mint 14 (6 Apr 2013)
Content Type Dependencies (6 Apr 2013)
Calling function from nsIContentSecurityPolicy.idl (6 Apr 2013)
Proposal: tougher CA standards in "private browsing" mode. (4 Apr 2013)
Confusion about abstract strings (4 Apr 2013)
Case sensitivity in FF (4 Apr 2013)
Proposal: tougher CA standards in "private browsing" mode. (4 Apr 2013)
Biggest Fake Conference in Computer Science (3 Apr 2013)
Advanced Image Gallery DW Extension (1 Apr 2013)
kids nude, hidden cams on nude kids, little kids nude (31 Mar 2013)

Archives

7	May 2013
54	April 2013
26	March 2013
17	February 2013
14	January 2013
6	December 2012
19	November 2012
10	October 2012
7	September 2012
42	August 2012
25	July 2012
96	June 2012
35	May 2012
239	April 2012
332	March 2012
20	February 2012
13	January 2012
1	December 2011
4	October 2011
27	September 2011
14	August 2011
10	July 2011
12	June 2011
9	May 2011
37	April 2011
21	March 2011
6	February 2011
3	January 2011
26	December 2010
3	November 2010
3	October 2010
10	September 2010
9	August 2010
4	July 2010
22	June 2010
4	May 2010
11	April 2010
40	March 2010
50	February 2010
9	January 2010
15	December 2009
94	November 2009
122	October 2009
3	September 2009
42	August 2009
88	July 2009
16	June 2009
9	May 2009
54	April 2009
30	March 2009
36	February 2009
27	January 2009
40	December 2008
26	November 2008
13	October 2008
43	September 2008
27	August 2008
47	July 2008
60	June 2008
20	May 2008
23	April 2008
14	March 2008
25	February 2008
31	January 2008
13	December 2007
9	November 2007
8	October 2007
24	September 2007
17	August 2007
15	July 2007
14	June 2007
44	May 2007
41	April 2007
87	March 2007
266	February 2007
47	January 2007
11	December 2006
203	November 2006
20	October 2006
10	September 2006
23	August 2006
32	July 2006
8	June 2006
6	May 2006
4	April 2006
3	March 2006
7	January 2006
12	December 2005
11	November 2005
3	October 2005
8	September 2005
46	August 2005
18	July 2005
165	June 2005
205	May 2005
196	April 2005
312	March 2005
219	February 2005
21	January 2005
55	December 2004
15	November 2004
30	October 2004
35	September 2004
40	August 2004
54	July 2004
51	June 2004
29	May 2004
49	April 2004
42	March 2004
31	February 2004
34	January 2004
30	December 2003
91	November 2003
24	October 2003
40	September 2003
58	August 2003
30	July 2003
27	June 2003
29	May 2003
27	April 2003
25	March 2003
31	February 2003
18	January 2003
36	December 2002
46	November 2002
38	October 2002
37	September 2002
26	August 2002
28	July 2002
19	June 2002
37	May 2002
41	April 2002
1	February 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template