Vulnerability affects all major browsers
First reports of a vulnerability apparently discovered by Microsoft at the start of this year, appeared in mid June. The vulnerability could reportedly be used to carry out man-in-the-middle attacks on HTTPS connections. Mozilla classed the risk as high and released corresponding patches for its browser. It has now become clear that the vulnerability affects many other browsers.
A specially prepared proxy can inject HTML and script code into the context of a secure page. This permits modification of displayed data or, in the case of cookie-based authentication, identity theft. A security advisory from SecurityFocus, modified a few days ago, now cites Chrome, Opera, Safari and Internet Explorer as being affected.
In their paper, Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments, Microsoft employees Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang show that the danger can arise from a malicious proxy which hasn't been rigorously analysed in the past. The paper includes descriptions of a number of tricks for manipulating HTTPS connections.
One problem which affected all browsers is that error messages are executed in the security context of the page being called. This allows Pretty Bad Proxy (PBP) to respond to CONNECT requests sent to https://myBank.com with HTML or script code, which the user's browser executes as if it came from the banking website. Since the browser then allows PBP to access the bank website's DOM, a script from PBP could, for example, download and make targeted changes to the real banking website.
Other problems concern potential redirects by downloaded scripts and pages which are not actually intended for HTTPS presentation, but can be accessed via HTTPS URLs. According to the authors, browser vendors have been informed of the problems uncovered and have introduced initial counter-measures.