[Pkg-chromium-maint] Bug#885989: chromium: MitM-ed TLS sites are being recognized as secure even though they are not

TemTem temtem at protonmail.ch
Mon Jan 1 10:45:46 UTC 2018 

Package: chromium
Version: 63.0.3239.84-1~deb9u1
Severity: grave
Tags: upstream security
Justification: user security hole

Inspired by bug 831835 (iceweasel: Padlock icon indicates a secure SSL connection established w	MitM-ed).

Dear Maintainer,

A large portion of websites are being (willingly) attacked by man-in-the-middles (MitM) such as Cloudflare. Chromium aims to provide a SAFER web browsing experience, but it fails to do that by not preventing users from being attacked by a MitM. TLS is designed to protect against MitM attacks by providing an end-to-end encrypted connection between the client and the server. Cloudflare and other similar services undermines TLS by decrypting the connection, which is a very grave security and privacy concern, especially for Tor users. If passwords are entered in a such service pwned site, whether you are using TLS or not, the password (and any other sensitive data) would be known by an unintended third-party.

An example of a MitM-ed (and TLS encrypted) site is bitcoin.de. (Don't visit it if you don't want to be pwned).

The chromium package (and hopefully the upstream version) must be patched against this attacks ASAP.

So how will this be fixed? Display a "Your connection is not private/secure" warning when visiting a MitM-ed site like the above example.

How can Chromium know that the user is visiting a MitM-ed site? Let's look at Cloudflare. Cloudflare uses a "cf-ray:" HTTP header. Similar services probably has a similar kind to the "cf-ray:" header too. Use those headers and whatever kind which will identify that the site is pwned.

Why this is not reported upstream? Because to implement an anti-DDoS service, you have to use CAPTCHAs. Cloudflare uses Google's reCAPTCHA, and most of the MitM-ed sites are attacked because of Cloudflare. Furthermore, Cloudflare is backed by Google. It is almost impossible Google will be okay to mark such sites as insecure.

I am expecting a affirmative pong to this.

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-4-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_PH.utf8, LC_CTYPE=en_PH.utf8 (charmap=UTF-8), LANGUAGE=en_PH:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages chromium depends on:
ii  libasound2           1.1.3-5
ii  libatk1.0-0          2.22.0-1
ii  libavcodec57         7:3.2.9-1~deb9u1
ii  libavformat57        7:3.2.9-1~deb9u1
ii  libavutil55          7:3.2.9-1~deb9u1
ii  libc6                2.24-11+deb9u1
ii  libcairo2            1.14.8-1
ii  libcups2             2.2.1-8
ii  libdbus-1-3          1.10.24-0+deb9u1
ii  libevent-2.0-5       2.0.21-stable-3
ii  libexpat1            2.2.0-2+deb9u1
ii  libflac8             1.3.2-1
ii  libfontconfig1       2.11.0-6.7+b1
ii  libfreetype6         2.6.3-3.2
ii  libgcc1              1:6.3.0-18
ii  libgdk-pixbuf2.0-0   2.36.5-2+deb9u1
ii  libglib2.0-0         2.50.3-2
ii  libgtk2.0-0          2.24.31-2
ii  libicu57             57.1-6+deb9u1
ii  libjpeg62-turbo      1:1.5.1-2
ii  libminizip1          1.1-8+b1
ii  libnspr4             2:4.12-6
ii  libnss3              2:3.26.2-1.1+deb9u1
ii  libopus0             1.2~alpha2-1
ii  libpango-1.0-0       1.40.5-1
ii  libpangocairo-1.0-0  1.40.5-1
ii  libpng16-16          1.6.28-1
ii  libpulse0            10.0-1+deb9u1
ii  libre2-3             20170101+dfsg-1
ii  libsnappy1v5         1.1.3-3
ii  libstdc++6           6.3.0-18
ii  libvpx4              1.6.1-3
ii  libwebp6             0.5.2-1
ii  libwebpdemux2        0.5.2-1
ii  libwebpmux2          0.5.2-1
ii  libx11-6             2:1.6.4-3
ii  libx11-xcb1          2:1.6.4-3
ii  libxcb1              1.12-1
ii  libxcomposite1       1:0.4.4-2
ii  libxcursor1          1:1.1.14-1+deb9u1
ii  libxdamage1          1:1.1.4-2+b3
ii  libxext6             2:1.3.3-1+b2
ii  libxfixes3           1:5.0.3-1
ii  libxi6               2:1.7.9-1
ii  libxml2              2.9.4+dfsg1-2.2+deb9u1
ii  libxrandr2           2:1.5.1-1
ii  libxrender1          1:0.9.10-1
ii  libxslt1.1           1.1.29-2.1
ii  libxss1              1:1.2.2-1
ii  libxtst6             2:1.2.3-1
ii  x11-utils            7.7+3+b1
ii  xdg-utils            1.1.1-1
ii  zlib1g               1:1.2.8.dfsg-5

Versions of packages chromium recommends:
ii  fonts-liberation  1:1.07.4-2

Versions of packages chromium suggests:
pn  chromium-driver    <none>
pn  chromium-l10n      <none>
pn  chromium-shell     <none>
pn  chromium-widevine  <none>

-- no debconf information

More information about the Pkg-chromium-maint mailing list