Bug#831835: iceweasel: Padlock icon indicates a secure SSL connection established w MitM-ed

Anonymous anonymous at foto.nl1.torservers.net
Tue Jul 19 21:13:29 UTC 2016 

Package: iceweasel
Version: 38.8.0esr-1~deb8u1
Severity: important

Dear Maintainer,

A large portion of websites are being MitM'd (man-in-the-middle) by a
company that is centralizing the web (CloudFlare).  Firefox misleads
users by showing them a padlock icon stating (falsely) that the
connection is secure.  Users are lead to believe that they have a
secure end-to-end tunnel to the service named in the address bar.
However, they (unwittingly) have a tunnel to CloudFlare, who sees all
the traffic before it reaches the destination.

This means very sensitive data is being disclosed to CloudFlare
without the knowledge or consent of (mislead) Firefox users.  The
*only* way for a user to know of this MitM (using Firefox) is if they
hit F12 and inspect the HTTP response headers for a "cf-ray:" header.
Most users are not advanced enough to do that.

This security bug is serious.  To illustrate the gravity of the
problem, here are some bitcoin sites that share all traffic cloudflare
for which their exposed users are largely unaware:

 * bitcoin.de
 * bitcoin.it
 * bitcoinist.net
 * bitpay.com
 * biteasy.com
 * localbitcoins.com
 * seebitcoin.com

This means those sites (or disgruntled insider therein) could steal
money from clients, and CloudFlare could be blamed.  Or a CloudFlare
insider could do the same, and blame the service.

All usernames and passwords are being exposed to CloudFlare without
users knowledge or consent.  Many naive users re-use the same
credentials on many websites.

This bug report should be treated with very high priority!

Why this is reported as a debian package bug:

  The submitter understands that this bug should be reported upstream.
  However, that was tried.  Mozilla's bug database is hostile toward
  security-conscious users.  Mozilla forces e-mail address submission,
  then it blocks when the address is not from a provider of their
  liking.

  Mozilla claims github logins can be used, but then after the user
  exposes github creds Mozilla denies access if the associated address
  is not to their liking.

  Bug report submitters are not getting paid.  It's charity work.
  It's despicable that Mozilla expects charity workers to do more work
  for them than technically required.

  Therefore, this report is submitted to the debian package, because
  the Debian project has figured out how to collect bug reports from
  contributors, and all the hoops on Mozilla's upstream server were
  too exhausting.  Hopefully someone with an existing upstream account
  can mirror this report.  And I would appreciate it if this section
  is maintained.

  Thanks.

-- Package-specific info:

-- Extensions information
Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

-- Addons package information
ii  gnome-shell    3.14.4-1~deb amd64        graphical shell for the GNOME des
ii  icedtea-7-plug 1.5.3-1      amd64        web browser plugin based on OpenJ
ii  iceweasel      38.8.0esr-1~ amd64        Web browser based on Firefox
ii  rhythmbox-plug 3.1-1        amd64        plugins for rhythmbox music playe

-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages iceweasel depends on:
ii  debianutils               4.4+b1
ii  fontconfig                2.11.0-6.3
ii  libasound2                1.0.28-1
ii  libatk1.0-0               2.14.0-1
ii  libc6                     2.19-18+deb8u4
ii  libcairo2                 1.14.0-2.1+deb8u1
ii  libdbus-1-3               1.8.20-0+deb8u1
ii  libdbus-glib-1-2          0.102-1
ii  libevent-2.0-5            2.0.21-stable-2
ii  libffi6                   3.1-2+b2
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-3+deb8u1
ii  libgcc1                   1:4.9.2-10
ii  libgdk-pixbuf2.0-0        2.31.1-2+deb8u5
ii  libglib2.0-0              2.42.1-1+b1
ii  libgtk2.0-0               2.24.25-3+deb8u1
ii  libhunspell-1.3-0         1.3.3-3
ii  libpango-1.0-0            1.36.8-3
ii  libsqlite3-0              3.8.7.1-1+deb8u1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                4.9.2-10
ii  libx11-6                  2:1.6.2-3
ii  libxcomposite1            1:0.4.4-1
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.1-2+b2
ii  libxrender1               1:0.9.8-1+b1
ii  libxt6                    1:1.1.4-1+b1
ii  procps                    2:3.3.9-9
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages iceweasel recommends:
ii  gstreamer1.0-libav         1.4.4-2
ii  gstreamer1.0-plugins-good  1.4.4-2

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
pn  fonts-oflb-asana-math  <none>
ii  fonts-stix [otf-stix]  1.1.1-1
ii  libcanberra0           0.30-2.1
ii  libgnomeui-0           2.24.5-3
ii  libgssapi-krb5-2       1.12.1+dfsg-19+deb8u2
pn  mozplugger             <none>

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list