pao wrote:I suppose you're talking about
this? It appears the general agreement in that bug (including from Georgio, who is unashamedly critical of things that aren't NoScript) is that it's not particularly exlploitable;
So if you hit "demo" button on
this page with HTTPS Everywhere running - you don't get the address of the new tab spoofed?
pao wrote:it's fixed on the HTTPS Everywhere side as that bug indicates; it's completely fixed if you use the Tor-patched Firefox; and patches to fix it in mainline Firefox are
in review.
Thus, users of non-"tor-patched" Firefox are vulnerable to address spoofing attacks, but everything you've said is absolutely true, sir.
pao wrote:Meanwhile, given there's no reports of this being a problem in the wild, and merely waiting for all the redirects to complete closes the exploitable window, I'll take my chances vs. having fewer encrypted sessions, thank you.
I won't judge how
smart your choice is, since you are free to do whatever you like, but at least you are aware, that your system is critically vulnerable. I'm here to warn others.