Package: iceweasel
Version: 38.8.0esr-1~deb8u1
Severity: important
Dear Maintainer,
A large portion of websites are being MitM'd (man-in-the-middle) by a
company that is centralizing the web (CloudFlare). Firefox misleads
users by showing them a padlock icon stating (falsely) that the
connection is secure. Users are lead to believe that they have a
secure end-to-end tunnel to the service named in the address bar.
However, they (unwittingly) have a tunnel to CloudFlare, who sees all
the traffic before it reaches the destination.
This means very sensitive data is being disclosed to CloudFlare
without the knowledge or consent of (mislead) Firefox users. The
*only* way for a user to know of this MitM (using Firefox) is if they
hit F12 and inspect the HTTP response headers for a "cf-ray:" header.
Most users are not advanced enough to do that.
This security bug is serious. To illustrate the gravity of the
problem, here are some bitcoin sites that share all traffic cloudflare
for which their exposed users are largely unaware:
* bitcoin.de
* bitcoin.it
* bitcoinist.net
* bitpay.com
* biteasy.com
* localbitcoins.com
* seebitcoin.com
This means those sites (or disgruntled insider therein) could steal
money from clients, and CloudFlare could be blamed. Or a CloudFlare
insider could do the same, and blame the service.
All usernames and passwords are being exposed to CloudFlare without
users knowledge or consent. Many naive users re-use the same
credentials on many websites.
This bug report should be treated with very high priority!
Why this is reported as a debian package bug:
The submitter understands that this bug should be reported upstream.
However, that was tried. Mozilla's bug database is hostile toward
security-conscious users. Mozilla forces e-mail address submission,
then it blocks when the address is not from a provider of their
liking.
Mozilla claims github logins can be used, but then after the user
exposes github creds Mozilla denies access if the associated address
is not to their liking.
Bug report submitters are not getting paid. It's charity work.
It's despicable that Mozilla expects charity workers to do more work
for them than technically required.
Therefore, this report is submitted to the debian package, because
the Debian project has figured out how to collect bug reports from
contributors, and all the hoops on Mozilla's upstream server were
too exhausting. Hopefully someone with an existing upstream account
can mirror this report. And I would appreciate it if this section
is maintained.
Thanks.
-- Package-specific info:
-- Extensions information
Name: Default theme
Location:
/usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
-- Addons package information
ii gnome-shell 3.14.4-1~deb amd64 graphical shell for the GNOME des
ii icedtea-7-plug 1.5.3-1 amd64 web browser plugin based on OpenJ
ii iceweasel 38.8.0esr-1~ amd64 Web browser based on Firefox
ii rhythmbox-plug 3.1-1 amd64 plugins for rhythmbox music playe
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages iceweasel depends on:
ii debianutils 4.4+b1
ii fontconfig 2.11.0-6.3
ii libasound2 1.0.28-1
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18+deb8u4
ii libcairo2 1.14.0-2.1+deb8u1
ii libdbus-1-3 1.8.20-0+deb8u1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-2
ii libffi6 3.1-2+b2
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-3+deb8u1
ii libgcc1 1:4.9.2-10
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u5
ii libglib2.0-0 2.42.1-1+b1
ii libgtk2.0-0 2.24.25-3+deb8u1
ii libhunspell-1.3-0 1.3.3-3
ii libpango-1.0-0 1.36.8-3
ii libsqlite3-0 3.8.7.1-1+deb8u1
ii libstartup-notification0 0.12-4
ii libstdc++6 4.9.2-10
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxrender1 1:0.9.8-1+b1
ii libxt6 1:1.1.4-1+b1
ii procps 2:3.3.9-9
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages iceweasel recommends:
ii gstreamer1.0-libav 1.4.4-2
ii gstreamer1.0-plugins-good 1.4.4-2
Versions of packages iceweasel suggests:
pn fonts-mathjax <none>
pn fonts-oflb-asana-math <none>
ii fonts-stix [otf-stix] 1.1.1-1
ii libcanberra0 0.30-2.1
ii libgnomeui-0 2.24.5-3
ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
pn mozplugger <none>
-- no debconf information
