Debian Bug report logs - #831835
iceweasel: Padlock icon indicates a secure SSL connection established w MitM-ed

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Anonymous <anonymous@foto.nl1.torservers.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: iceweasel: Padlock icon indicates a secure SSL connection established w MitM-ed

Date: Tue, 19 Jul 2016 23:13:29 +0200

Package: iceweasel
Version: 38.8.0esr-1~deb8u1
Severity: important

Dear Maintainer,

A large portion of websites are being MitM'd (man-in-the-middle) by a
company that is centralizing the web (CloudFlare).  Firefox misleads
users by showing them a padlock icon stating (falsely) that the
connection is secure.  Users are lead to believe that they have a
secure end-to-end tunnel to the service named in the address bar.
However, they (unwittingly) have a tunnel to CloudFlare, who sees all
the traffic before it reaches the destination.

This means very sensitive data is being disclosed to CloudFlare
without the knowledge or consent of (mislead) Firefox users.  The
*only* way for a user to know of this MitM (using Firefox) is if they
hit F12 and inspect the HTTP response headers for a "cf-ray:" header.
Most users are not advanced enough to do that.

This security bug is serious.  To illustrate the gravity of the
problem, here are some bitcoin sites that share all traffic cloudflare
for which their exposed users are largely unaware:

 * bitcoin.de
 * bitcoin.it
 * bitcoinist.net
 * bitpay.com
 * biteasy.com
 * localbitcoins.com
 * seebitcoin.com

This means those sites (or disgruntled insider therein) could steal
money from clients, and CloudFlare could be blamed.  Or a CloudFlare
insider could do the same, and blame the service.

All usernames and passwords are being exposed to CloudFlare without
users knowledge or consent.  Many naive users re-use the same
credentials on many websites.

This bug report should be treated with very high priority!

Why this is reported as a debian package bug:

  The submitter understands that this bug should be reported upstream.
  However, that was tried.  Mozilla's bug database is hostile toward
  security-conscious users.  Mozilla forces e-mail address submission,
  then it blocks when the address is not from a provider of their
  liking.

  Mozilla claims github logins can be used, but then after the user
  exposes github creds Mozilla denies access if the associated address
  is not to their liking.

  Bug report submitters are not getting paid.  It's charity work.
  It's despicable that Mozilla expects charity workers to do more work
  for them than technically required.

  Therefore, this report is submitted to the debian package, because
  the Debian project has figured out how to collect bug reports from
  contributors, and all the hoops on Mozilla's upstream server were
  too exhausting.  Hopefully someone with an existing upstream account
  can mirror this report.  And I would appreciate it if this section
  is maintained.

  Thanks.

-- Package-specific info:

-- Extensions information
Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

-- Addons package information
ii  gnome-shell    3.14.4-1~deb amd64        graphical shell for the GNOME des
ii  icedtea-7-plug 1.5.3-1      amd64        web browser plugin based on OpenJ
ii  iceweasel      38.8.0esr-1~ amd64        Web browser based on Firefox
ii  rhythmbox-plug 3.1-1        amd64        plugins for rhythmbox music playe

-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages iceweasel depends on:
ii  debianutils               4.4+b1
ii  fontconfig                2.11.0-6.3
ii  libasound2                1.0.28-1
ii  libatk1.0-0               2.14.0-1
ii  libc6                     2.19-18+deb8u4
ii  libcairo2                 1.14.0-2.1+deb8u1
ii  libdbus-1-3               1.8.20-0+deb8u1
ii  libdbus-glib-1-2          0.102-1
ii  libevent-2.0-5            2.0.21-stable-2
ii  libffi6                   3.1-2+b2
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-3+deb8u1
ii  libgcc1                   1:4.9.2-10
ii  libgdk-pixbuf2.0-0        2.31.1-2+deb8u5
ii  libglib2.0-0              2.42.1-1+b1
ii  libgtk2.0-0               2.24.25-3+deb8u1
ii  libhunspell-1.3-0         1.3.3-3
ii  libpango-1.0-0            1.36.8-3
ii  libsqlite3-0              3.8.7.1-1+deb8u1
ii  libstartup-notification0  0.12-4
ii  libstdc++6                4.9.2-10
ii  libx11-6                  2:1.6.2-3
ii  libxcomposite1            1:0.4.4-1
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.1-2+b2
ii  libxrender1               1:0.9.8-1+b1
ii  libxt6                    1:1.1.4-1+b1
ii  procps                    2:3.3.9-9
ii  zlib1g                    1:1.2.8.dfsg-2+b1

Versions of packages iceweasel recommends:
ii  gstreamer1.0-libav         1.4.4-2
ii  gstreamer1.0-plugins-good  1.4.4-2

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
pn  fonts-oflb-asana-math  <none>
ii  fonts-stix [otf-stix]  1.1.1-1
ii  libcanberra0           0.30-2.1
ii  libgnomeui-0           2.24.5-3
ii  libgssapi-krb5-2       1.12.1+dfsg-19+deb8u2
pn  mozplugger             <none>

-- no debconf information

Message #16 received at 831835@bugs.debian.org (full text, mbox, reply):

From: 24351@secmail.pro

To: 831835@bugs.debian.org

Subject: Mentioned in Tor trac

Date: Sat, 18 Nov 2017 22:41:28 -0800

CloudFlare's MITM activity is widely discussed in the Tor Project ticket.
This bug is mentioned on this webpage:
https://trac.torproject.org/projects/tor/ticket/24351

iceweasel should not support MITM, therefore I want you to delist
Cloudflare certificate from SSL trust chain.

And also update F-Droid's iceweasel :)

Message #21 received at 831835@bugs.debian.org (full text, mbox, reply):

From: nullius <nullius@nym.zone>

To: 831835@bugs.debian.org

Subject: Workaround in progress: Browser Add-On

Date: Mon, 11 Dec 2017 22:19:15 +0000

[Message part 1 (text/plain, inline)]

On 2017-11-18, 24351@secmail.pro wrote:
>CloudFlare's MITM activity is widely discussed in the Tor Project ticket.
>This bug is mentioned on this webpage:
>https://trac.torproject.org/projects/tor/ticket/24351

I am the reporter of that bug, titled "Block Global Active Adversary 
Cloudflare".  Though this is an issue which has concerned me for years, 
I thank the anonymous reporter of this Debian bug for part of my 
inspiration.

An anonymous cypherpunk created a Firefox add-on to block Cloudflare:

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

I lifted out the code into a Github repository:

https://github.com/nym-zone/block_cloudflare_mitm_fx

Commits are signed with the same PGP key as this e-mail, fingerprint:
0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C

Please note that I have not yet actually tested the code.  a.m.o. marks 
it as Firefox 53+ only; whereas I exclusively use Tor Browser, based on 
Firefox 52.  I did glance over the code to see if it looked sane, and 
normalize the PNG icons to fix some CRC errors.  Beyond that, I deemed 
it most important to get the ball rolling with a public repository so 
people can hack on it.

Contributions will be much appreciated.  As I indicated in the Tor bug 
tracker, I hope to see the beginnings of a grassroots community response 
to the Cloudflare mass-MITM threat.

nullius@nym.zone

[signature.asc (application/pgp-signature, inline)]

Message #28 received at 831835@bugs.debian.org (full text, mbox, reply):

From: Benedict Bender <Benedict.Bender@wi.uni-potsdam.de>

To: 831835@bugs.debian.org

Subject: Survey regarding your Extension bcma for Mozilla Firefox

Date: Mon, 18 Feb 2019 17:19:41 +0100

[Message part 1 (text/plain, inline)]

 
Dear Sir or Madam,

the University of Potsdam is currently conducting research regarding
coring of extension functionality on digital platforms in the browser
context.

Specifically, we are interested in which _effects result to you as a
developer_ from platform coring. Furthermore, which measures and
options you have to influence coring activities. The results are of
utmost importance for any developer that contributes extensions to
digital platforms such as Mozilla Firefox or Google Chrome.

PLATFORM CORING is defined as the integration of functionalities
provided by third-party extensions in the platform core, whereby the
core is the browser (platform).
For example, if a new version of a Browser (e.g. Chrome or Firefox) is
released with additional functionality (e.g. security features,
bookmarking features) which were formerly provided by extensions, this
is considered to be platform coring. In a nutshell, functionality
formerly (only) provided through extensions is now available in the
browser itself.

We recognized that you provide an extension called BCMA on the
Marketplace for MOZILLA FIREFOX. Therefore _your thoughts are highly
valuable_ to our study!

Please take FIVE MINUTES TO PARTICIPATE in our survey
at: HTTPS://SURVEY.WI.UNI-POTSDAM.DE/INDEX.PHP/738581?TOKEN=POHTPAJH&LANG=EN
[https://survey.wi.uni-potsdam.de/index.php/738581?token=PoHTPajH&lang=en].

Why should you participate in our survey?

 	* As the ANALYSIS RESULTS PROVIDE VALUABLE INPUT FOR YOUR BUSINESS
we would be happy to provide you those. If you are interested, just
leave your email address during the survey.
 	* Your valuable input is of great interest for our research. If
there is anything we can do for you please let us know.

If you are interested in our research regarding coring on digital
platforms please feel free to have a look at our recent research paper
[https://aisel.aisnet.org/icis2017/DigitalPlatforms/Presentations/6/]
or contact me.

Thank you very much for effort with regard to this survey!

Sincerely,
Benedict Bender (Benedict.Bender@wi.uni-potsdam.de)

University of Potsdam
Chair of Business Informatics, esp. processes and systems
August-Bebel-Str. 89
D-14482 Potsdam
GERMANY

----------------------------------------------
Click here to do the survey:
https://survey.wi.uni-potsdam.de/index.php/738581?token=PoHTPajH&lang=en
[https://survey.wi.uni-potsdam.de/index.php/738581?token=PoHTPajH&lang=en]

If you do not want to participate in this survey and don't want to
receive any more invitations please click the following link:
https://survey.wi.uni-potsdam.de/index.php/optout/tokens/738581?langcode=en&token=PoHTPajH
[https://survey.wi.uni-potsdam.de/index.php/optout/tokens/738581?langcode=en&token=PoHTPajH]
 

[Message part 2 (text/html, inline)]

Message #33 received at 831835@bugs.debian.org (full text, mbox, reply):

From: outgoingmail@secmail.pro

To: 831835@bugs.debian.org

Subject: "Survey regarding your Extension bcma for Mozilla Firefox"

Date: Sun, 24 Feb 2019 01:15:31 -0800

If this is not a spam and you are serious, please repost it to
https://notabug.org/themusicgod1/cloudflare-tor/

thanks

Message #40 received at 831835@bugs.debian.org (full text, mbox, reply):

From: Benedict Bender <Benedict.Bender@wi.uni-potsdam.de>

To: 831835@bugs.debian.org

Subject: [Friendly Reminder] Survey regarding your Extension bcma for Mozilla Firefox

Date: Wed, 27 Feb 2019 14:15:32 +0100

[Message part 1 (text/plain, inline)]

 
Dear Sir or Madam,

Recently we invited you to participate concerning your extension BCMA
for MOZILLA FIREFOX. We note that you have not yet completed the
survey, and wish to remind you that the survey is still available
should you wish to take part:
https://survey.wi.uni-potsdam.de/index.php/738581?token=PoHTPajH&lang=en
[https://survey.wi.uni-potsdam.de/index.php/738581?token=PoHTPajH&lang=en]

The University of Potsdam is currently conducting research regarding
coring of extension functionality on digital platforms in the browser
context.

Specifically, we are interested in which _effects result to you as a
developer_ from platform coring. Furthermore, which measures and
options you have to influence coring activities. The results are of
utmost importance for any developer that contributes extensions to
digital platforms such as Mozilla Firefox or Google Chrome.

PLATFORM CORING is defined as the integration of functionalities
provided by third-party extensions in the platform core, whereby the
core is the browser (platform).
For example, if a new version of a Browser (e.g. Chrome or Firefox) is
released with additional functionality (e.g. security features,
bookmarking features) which were formerly provided by extensions, this
is considered to be platform coring. In a nutshell, functionality
formerly (only) provided through extensions is now available in the
browser itself.

We recognized that you provide an extension called BCMA on the
Marketplace for MOZILLA FIREFOX. Therefore _your thoughts are highly
valuable_ to our study!

Please take FIVE MINUTES TO PARTICIPATE in our survey
at: HTTPS://SURVEY.WI.UNI-POTSDAM.DE/INDEX.PHP/738581?TOKEN=POHTPAJH&LANG=EN
[https://survey.wi.uni-potsdam.de/index.php/738581?token=PoHTPajH&lang=en].

Why should you participate in our survey?

 	* As the ANALYSIS RESULTS PROVIDE VALUABLE INPUT FOR YOUR BUSINESS
we would be happy to provide you those. If you are interested, just
leave your email address during the survey.
 	* Your valuable input is of great interest for our research. If
there is anything we can do for you please let us know.

If you are interested in our research regarding coring on digital
platforms please feel free to have a look at our recent research paper
[https://aisel.aisnet.org/icis2017/DigitalPlatforms/Presentations/6/]
or contact me.

Thank you very much for effort with regard to this survey!
Sincerely,
Benedict Bender (Benedict.Bender@wi.uni-potsdam.de)

----------------------------------------------
Click here to do the survey:
https://survey.wi.uni-potsdam.de/index.php/738581?token=PoHTPajH&lang=en
[https://survey.wi.uni-potsdam.de/index.php/738581?token=PoHTPajH&lang=en]

If you do not want to participate in this survey and don't want to
receive any more invitations please click the following link:
https://survey.wi.uni-potsdam.de/index.php/optout/tokens/738581?langcode=en&token=PoHTPajH
[https://survey.wi.uni-potsdam.de/index.php/optout/tokens/738581?langcode=en&token=PoHTPajH]
 

[Message part 2 (text/html, inline)]

Message #45 received at 831835@bugs.debian.org (full text, mbox, reply):

From: Viky Jude <viky@invoke.business>

To: "831835@bugs.debian.org" <831835@bugs.debian.org>

Subject: Earn Revenue with Bing/Yahoo Feeds

Date: Tue, 20 Oct 2020 19:46:42 +0100

I found you on the Mozilla store and wanted to reach out to offer you Bing and Yahoo feeds for your addons or websites you may own.

Our Bing hosted lander which is your search can earn up to $50 per 1000 searches, and our feeds can earn you up to $0.40 a click.   It is a premium product by invitation only and can easily be added to your websites or addons.

If this is something you would be interested in, I would be glad to discuss this further with you.

I look forward to hearing from you soon.  

Kind Regards
 
Viky Jude

Business Development Manager

Invoke.Vision

Send a report that this bug log contains spam.