[tor-bugs] #11295 [Applications/Tor Browser]: Users cannot log into LycosMail
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 22 04:50:31 UTC 2017
#11295: Users cannot log into LycosMail
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-usability-website, needs-triage | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by cypherpunks):
* severity: => Normal
Comment:
A user joined IRC pointing to this bug and a similar one they were
experiencing on an unrelated service.
Both Lycos and the other service send their login page over http
(aaaargh).
The user reported that disabling NoScript resolved the issue, with the
users help I was able to reproduce the issue and confirm NoScript was the
source. I noticed that when NoScript was enabled cookies that had been
issued over https would not be send over http, resulting in it constantly
forcing the user back to the login page, securely, where upon the cookies
were sent...putting them back to square one.
The issue stems from the sites issuance of cookies "securely" then
returning to http and NoScript's policy for "Secure Cookies Management".
**Work Around**
By going into NoScript -> Options -> Advanced -> HTTPS -> Cookies and
setting appropriate exceptions under "Ignore unsafe cookies set over HTTPS
by the following sites", they were able to successfully login to the
services.
I'd recommend not using these services, however, since they have some
clearly problematic security holes.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11295#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list