[tor-bugs] #7454 [EFF-HTTPS Everywhere]: Active rules list doesn't indicate effects of securecookie if no URL rewrite took place
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 12 08:09:06 UTC 2012
#7454: Active rules list doesn't indicate effects of securecookie if no URL
rewrite took place
----------------------------------+-----------------------------------------
Reporter: schoen | Owner: pde
Type: defect | Status: accepted
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Changes (by pde):
* status: new => accepted
Comment:
The code that implements the <securecookie> element
[https://gitweb.torproject.org/https-
everywhere.git/blob/HEAD:/src/chrome/content/code/HTTPSRules.js#l546 does
try to display this fact] in the context menu. The problem is that it
only happens when the cookie is first secured. There may be no later
indication that a cookie in the page was secured by HTTPS Everywhere if
HTTPS Everywhere has nothing else to change in that page, and there may be
no indication that a cookie is ''missing'' from an HTTP page because a
past securecookie intervention. I think these are probably fixable,
though it will be tricky work.
It is also the case that disabling a ruleset won't go and ''remove'' the
securecookie flag from all of the cookies it was set on, since that
operation itself could cause potentially cause insecurity. Although
perhaps it's the lesser of two evils...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7454#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list