1. 2
  1. 2

    So the gist of it is that you brought a flaw in the design of the internet up as a bug on a browser that implements the flawed design? That’s what I read from this.

    1. 1

      Well, to be precise these bugs are in the design of a Web protocol (HTTP) and a Web standard (JavaScript).
      The Internet (which is way more than the Web) is fine.

      Anyway yes, I opened a bug report to Firefox as suggested by a Mozilla developers.

      Mozilla (like Google, Microsoft and Apple) is a founding member of WHATWG, they write these Living Standards, so they are responsible for those bugs.

      Also, be it standard or not, if the users of your application can have their firewalls bypassed through it, its your fault.

      And it’s your responsibility to inform the users of the risks you are exposing them to.

      Stating that it’s a problem in the standards (that you wrote), without informing them is not what I expected from Mozilla.
      This is particularly weird becauae the fixes are technically easy to implement for a browser vendor and AFAIK there is no line in the WHATWG standard imposing Javascript to be opt-out instead of opt-in.
      So to be even more precise only the HTTP cache control usagw I described is a problem in the standards: the JS issue is more a hole in the standard.

      Indeed that’s why I started informing Mozilla of the attacks in the first place. To fix the Living Standards that follow the implementations you need to fix an implementation first.

    2. 1

      How did you get here, why were you banned, who the f* are you anyway?

      1. 3

        I was invited by @ben.

        Basically I asked several times to members of Mozilla Security if their users were vulnerable to a wide class of attacks I described in a bug report (and have been then proved with 2 exploit).
        For the full story you should read the article, but you can find here a short summary.

        My name is Giacomo Tesio, I’m a father, a husband and a programmer.
        I’m from Italy. I am a hacker too. Actually I’m also many other things… it’s a bit complex to answer the last question properly.
        On tilde.team you can find me as giacomo.