Mozzarella

Home

Warn Insecure Redirection

Overview:
If you visit a link that appears to simply be a redirection link and that link is not loaded over HTTPS, it will expose the redirection link to potential snoopers.

For example, if you visit:

http://www.example.com/redirect?goto=https://www.paypal.me/ashleymadison/100USD

Notice the HTTP in "http://www.example.com" means it is insecure.

Since example.com is NOT loaded over HTTPS, everyone on the Internet will know that you intend to visit the Paypal website to send money to Ashley Madison. Even though the Paypal website will be loaded over HTTPS, your intention will already be exposed by visiting example.com over an insecure connection.

Solution:
This extension will catch these potential problems and give you the option to:

1. Try loading example.com over HTTPS
2. Visit Paypal directly over HTTPS
3. Continue with the insecure link

This extension will also "ping" the root page ("/") at example.com over HTTPS to see if it is accessible and if so, will automatically navigate to the example.com page over HTTPS.

It will also "ping" the root page at paypal.me over HTTPS to determine if it is accessible and will add a tick or cross, so that you can decide whether you want to go directly to it.

The ping is made by sending a HEAD request with no cookies and no referral for your privacy. The root page was chosen to alleviate side effects and for privacy.

Explanation:
Any link that is NOT loaded over HTTPS means the full link and the website's contents will be susceptible to snooping and modification when passing through the Internet.

Generally, if that server doesn't support HTTPS you have no choice anyway. However, some links are really just redirection links that, when visited, will immediately redirect you to another website. The URL of the final website is sometimes embedded in the first URL in the form of URL parameters.

You can avoid exposing the redirection URL by not visiting the URL at all and choosing to go directly to the redirected URL. Or you can visit the redirection URL over HTTPS so that the embedded URL is hidden.

Demo:
Open your expired evaluation copy of WireShark and start inspecting network traffic.

Visit this link:
http://www.google.com/url?url=https://paypal.me/ashleymadison/0.99USD&rct=j&q=
or
http://disq.us/url?url=https://paypal.me/ashleymadison/0.99USD:YCTYzFK7sN1PiDyNguasfoOXJvo

Then inspect your traffic and notice that the above text "paypal.me/....." appears in your exposed network traffic.

Scope:
This extension will only work for opaquely embedded redirection URLs. If the redirection is performed on the server side using code 302, this extension cannot act on them.

This extension will only check for URLs loaded in the top level and won't check iframes.

If the redirected URL has the same domain name as the redirection URL, the extension will not intercept it, since such URLs are usually private and not redirections.

This extension will only watch for GET methods and will ignore other methods like POST since only the GET method can safely be halted and started up again with minimal side effects.

Performance:
In order to minimize the overhead that this extension has on your browser, this extension is configured to ONLY activate if the URL does NOT use HTTPS and there is a search parameter in the URL which contains the string "http:" or "https:". The prevents the extension from needing to respond to every type of URL.

Install