Package: chromium Version: 63.0.3239.84-1~deb9u1 Severity: grave Tags: upstream security Justification: user security hole
Inspired by bug 831835 (iceweasel: Padlock icon indicates a secure SSL connection established w MitM-ed). Dear Maintainer, A large portion of websites are being (willingly) attacked by man-in-the-middles (MitM) such as Cloudflare. Chromium aims to provide a SAFER web browsing experience, but it fails to do that by not preventing users from being attacked by a MitM. TLS is designed to protect against MitM attacks by providing an end-to-end encrypted connection between the client and the server. Cloudflare and other similar services undermines TLS by decrypting the connection, which is a very grave security and privacy concern, especially for Tor users. If passwords are entered in a such service pwned site, whether you are using TLS or not, the password (and any other sensitive data) would be known by an unintended third-party. An example of a MitM-ed (and TLS encrypted) site is bitcoin.de. (Don't visit it if you don't want to be pwned). The chromium package (and hopefully the upstream version) must be patched against this attacks ASAP. So how will this be fixed? Display a "Your connection is not private/secure" warning when visiting a MitM-ed site like the above example. How can Chromium know that the user is visiting a MitM-ed site? Let's look at Cloudflare. Cloudflare uses a "cf-ray:" HTTP header. Similar services probably has a similar kind to the "cf-ray:" header too. Use those headers and whatever kind which will identify that the site is pwned. Why this is not reported upstream? Because to implement an anti-DDoS service, you have to use CAPTCHAs. Cloudflare uses Google's reCAPTCHA, and most of the MitM-ed sites are attacked because of Cloudflare. Furthermore, Cloudflare is backed by Google. It is almost impossible Google will be okay to mark such sites as insecure. I am expecting a affirmative pong to this. -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-4-grsec-amd64 (SMP w/4 CPU cores) Locale: LANG=en_PH.utf8, LC_CTYPE=en_PH.utf8 (charmap=UTF-8), LANGUAGE=en_PH:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages chromium depends on: ii libasound2 1.1.3-5 ii libatk1.0-0 2.22.0-1 ii libavcodec57 7:3.2.9-1~deb9u1 ii libavformat57 7:3.2.9-1~deb9u1 ii libavutil55 7:3.2.9-1~deb9u1 ii libc6 2.24-11+deb9u1 ii libcairo2 1.14.8-1 ii libcups2 2.2.1-8 ii libdbus-1-3 1.10.24-0+deb9u1 ii libevent-2.0-5 2.0.21-stable-3 ii libexpat1 2.2.0-2+deb9u1 ii libflac8 1.3.2-1 ii libfontconfig1 2.11.0-6.7+b1 ii libfreetype6 2.6.3-3.2 ii libgcc1 1:6.3.0-18 ii libgdk-pixbuf2.0-0 2.36.5-2+deb9u1 ii libglib2.0-0 2.50.3-2 ii libgtk2.0-0 2.24.31-2 ii libicu57 57.1-6+deb9u1 ii libjpeg62-turbo 1:1.5.1-2 ii libminizip1 1.1-8+b1 ii libnspr4 2:4.12-6 ii libnss3 2:3.26.2-1.1+deb9u1 ii libopus0 1.2~alpha2-1 ii libpango-1.0-0 1.40.5-1 ii libpangocairo-1.0-0 1.40.5-1 ii libpng16-16 1.6.28-1 ii libpulse0 10.0-1+deb9u1 ii libre2-3 20170101+dfsg-1 ii libsnappy1v5 1.1.3-3 ii libstdc++6 6.3.0-18 ii libvpx4 1.6.1-3 ii libwebp6 0.5.2-1 ii libwebpdemux2 0.5.2-1 ii libwebpmux2 0.5.2-1 ii libx11-6 2:1.6.4-3 ii libx11-xcb1 2:1.6.4-3 ii libxcb1 1.12-1 ii libxcomposite1 1:0.4.4-2 ii libxcursor1 1:1.1.14-1+deb9u1 ii libxdamage1 1:1.1.4-2+b3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxi6 2:1.7.9-1 ii libxml2 2.9.4+dfsg1-2.2+deb9u1 ii libxrandr2 2:1.5.1-1 ii libxrender1 1:0.9.10-1 ii libxslt1.1 1.1.29-2.1 ii libxss1 1:1.2.2-1 ii libxtst6 2:1.2.3-1 ii x11-utils 7.7+3+b1 ii xdg-utils 1.1.1-1 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages chromium recommends: ii fonts-liberation 1:1.07.4-2 Versions of packages chromium suggests: pn chromium-driver <none> pn chromium-l10n <none> pn chromium-shell <none> pn chromium-widevine <none> -- no debconf information
