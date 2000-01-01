Hacker News new | comments | show | ask | jobs | submit login
Issue: Bitbucket relies on the Referer HTTP header (bitbucket.org)
Does anyone know of a good alternative to the atlassian suite? Given their price structure and popularity, I'd expect them to fix stuff like this in a timely fashion, and fix some basic UI issues.

Bitbucket server (aka "stash") examples:

- Create a pull request (the most common workflow in bitbucket) takes far too many page loads, and is buried in "hamburger"/"more options"

- For teams with per-developer repos, it does not remember which repos the currently logged in user frequently uses, so you scroll through everone on the team's name for most operations. (And the new version "improved" this in some places with a JavaScript-heavy list that renders like molasses on no-gpu xeon vms).

- Each product (bitbucket, jira, confluence) uses a different markup language.

And so on. I could complain about other workflows or other products, but this is pretty typical for their stuff.

I would be interested to know as well. To add to your list. If you need to scale up to huge intsances it hurts. Repo Clones take huge amount of resources for some reason, and updates require hours of downtime to spin the cluster up again. Aparrently there development team haven't even had a very large instance for test until late 2016 so fixing there issues is likely to take time.

Seems fairly clear that this is a Django issue, not a Bitbucket issue. Maybe change this link to point to the equivalent Django bug: https://code.djangoproject.com/ticket/16870.

So when my car breaks down I should expect Toyota to say "sorry that's a Takata issue take it up with them"?

Of course it's a 100% Bitbucket issue as seen as a user. I ran into the same issues while having some debug headers set.

As a user I simply don't care what platform they use.

I really don't think this is a big deal. I run a medium size website with well over 2000 uniques users per day and also require the referer header to use the website. So far, I've yet to receive a single complaint or find a browser that doesn't send it.

It might be optional as per the spec, but it's completely ubiquitous at this point, and provides an easy way to add an extra layer of safety for web developers.

Relying on the referrer header for CSRF protection is dubious at best. Just use a token like everybody else, protect against session fixation, call it a day.

They are using a token, just like everyone else... this is just some added protection on top

Let's not spread FUD :)

But this isn't added protection. Here is the textbook list of security goals:

- availability

- integrity

- confidentiality

It breaks availability and confidentiality to protect against an attack that is already prevented by https.

This is like installing an open ip cam and welding my padlock shut, then claiming you've improved my storage unit.

Have you read the discussion on security.stackexchange.com ?

there's no decrease in availability by an attacker (there's only a self inflicted denial by the user)

there's also no decrease in confidentiality for the service itself (and if the user uses an appropriate extension[0], or the browsers implement an appropriate whitelist mechanism, there's no confidentiality decrease for the user in general either)

This is simply defense in depth

If you leaked the SECRET_KEY/misconfigured the CSRF creation (which should be impossible, but it's the whole point of adding layers) AND the victim is being MITM AND you don't implement HSTS AND You correctly set cookies as Secure

You would have a potential vulnerability, exploitable (only?) via CSRF, which this check prevents

[0] like https://addons.mozilla.org/en-US/firefox/addon/smart-referer... but I'm not advocating for the use of this extension

So redirecting all port 80 requests to https://<domain>/ (or otherwise kill port 80 on the server).

Then, make sure each page view overwrites / clears any side-effecting session state.

Put another way, why should unexpected cookies change the side effects of post requests?

Anyway, if the browser is connecting via port 80, the MITM can just use a transparent http->https proxy to rewrite the referrer, and forward the request to the https server, so you've already lost.

It's not really any additional protection...how are you going to break a token? I've encountered this a few times on other sites, have to waste a few seconds messing around in my about:config.

Wasn't implying this, I meant it as "token sufficient, referrer of low value".

This is Django's CSRF module, and it only requires the referer when operating behind HTTPS.

The requirement is there to close off edge cases where an attacker mess with an initial non-HTTPS request in order to set up compromise of CSRF for future HTTPS requests. HSTS by itself can't solve that. If and when browser support for the Origin header gets more widespread, it'll be possible to secure this without checking Referer. But for now, that's not an option.

Well, you should not post from HTTP to HTTPS anyway.

I highly doubt there is any good reason to do it anywhere, and on the one case you think you got a good reason (I still doubt it), don't try to anonymize the hell out of a logged-on request.

From memory when this came up, I think the concern is someone spoofing a non-HTTPS version of your site to trick a browser into posting to the HTTPS version? Someone that understands this stuff properly will need to chime in.

It looks like Django relies on client-side tokens embedded in cookies for CSRF protection, there is no server-side state that the attacker has to guess. A MITM can trick someone to visit http://example.com/, set their own token in a HTTP cookie for example.com, use the same token in the POST request to https://example.com and it will pass validation, as cookies set over HTTP are still sent to HTTPS.

Should be easy to mitigate this by using server-side CSRF state, or signing the tokens.

I think this choice was made because Django doesn't _require_ sessions to be used. So they're making a compromise that could (however marginally) improve security regardless of the configuration of the site.

I think perhaps some way of saying "I use sessions, and therefore CSRF should rely on that" could be reasonable, but with security stuff like this I'm really hesitant to say that more definitively.

I'm a bit confused... I thought that Django always signed the CSRF tokens with the app's SECRET_KEY

But upon looking at the code, it seems that the SECRET_KEY is only used to reseed the PRNG O_o

https://github.com/django/django/blob/stable/1.10.x/django/u...

Secret key is used for signing. https://github.com/django/django/blob/master/django/core/sig...

Looks like it

https://security.stackexchange.com/questions/96114/why-is-re...

I don't think that the solution can be as simple as:

> you should not post from HTTP to HTTPS anyway.

because if the attacker is MITM'ing your user, he can supply the user a HTTP page that you never created (unless you have HSTS enabled)

The obvious inquire: "why doesn't the attacker simply steals the login cookie?", can probably be simply explained if your service is setting the Secure flag in the Set-Cookie header (as it should)... this way, even if the victim is logged in, the attacker wouldn't be able to steal the cookie

