[HTTPS-E Rulesets] Problems browsing scratch.mit.edu with https everywhere enabled

Peter Eckersley pde at eff.org
Sun Nov 11 23:49:56 PST 2012


HTTPS Everywhere does have a ruleset that switches requests to a number of MIT domains
over to HTTPS:

https://gitweb.torproject.org/https-everywhere.git/blob/3.0.4:/src/chrome/content/rules/MIT.xml

The semantics of that file are defined here:

https://www.eff.org/https-everywhere/rulesets

Given the symptoms you describe (logouts, people being logged in under the
wrong accounts) I'm 90% sure that the bug is being caused by the
<securecookie> element in the rule.  That will turn on the "secure" flag
(https://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly) in any HTTP
cookie that's set by any .mit.edu page that is being served over HTTPS.

However there could be two possible mechanisms by which the securecookie rule
is affecting scratch.mit.edu:  (1) scratch.mit.edu shares content from other
mit.edu domains which are actively rewritten by the ruleset.  Maybe that's
embedded stuff, and maybe it's an auth cookie that's scoped to all of .mit.edu
(2) scratch.mit.edu was responding to some HTTPS requests, in which case
cookies on the scratch.mit.edu domain would be flagged as secure.

The quickest fix on our end would be disabling the securecookie element in that
ruleset, but a change like that typically takes at least weeks to propagate,
and would decrease the security we can offer for other MIT websites.  

It might also be possible to fix the problem on your end, by figuring out
which exact cookies are being flagged secure, and ensuring that the servers
that are supposed to receive them always do so via HTTPS.

On Sun, Nov 11, 2012 at 10:23:38PM -0500, Amos Blanton wrote:
> Greetings,
> 
> We've gotten several reports of strange behavior when browsing Scratch (
> scratch.mit.edu) with https everywhere enabled, including users getting
> logged out repeatedly, and becoming logged in under incorrect accounts. One
> person suspected that a rule was set for *.mit.edu that was not compatible
> with Scratch.
> 
> AFAIK, Scratch does not have https support, unless it is built into the
> cake php foundation, which I doubt.  Can you recommend a solution for this
> issue, or next steps to take?
> 
> Thanks,
> Amos
> Scratch Community Coordinator

-- 
Peter Eckersley                            pde at eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993




More information about the HTTPS-Everywhere-Rules mailing list