[HTTPS-Everywhere] New ruleset and securecookie strangeness
https-everywhere at lists.grepular.com
https-everywhere at lists.grepular.com
Sun Dec 26 06:46:09 PST 2010
I've been using the Firefox addon named "TamperData" and it doesn't show
any http requests. You don't actually need to log in to see this
behaviour, just go to http://www.national-lottery.co.uk/ with the rule I
provided. A cookie named SIVISITOR is set and it isn't secure. I can't
actually see which request is setting the cookie though because there
are so many. Could it be one of the various SWF apps on the page setting
it? How does HTTPS-Everywhere handle cookies created by Flash?
Mike
On 26/12/2010 14:34, Peter Eckersley wrote:
> Is it possible that the unsecured cookies are being set over HTTP connections?
> Perhaps from somethingrandom.national-lottery.co.uk? If there are some
> non-HTTPS connections that set cookies, we can't set the secure flags on those
> cookies (at least, not without a very high risk of breaking things). So we
> don't.
>
> On Sat, Dec 25, 2010 at 06:30:34PM +0000, https-everywhere at lists.grepular.com wrote:
>> Hi,
>>
>> I created a new ruleset for national-lottery.co.uk:
>>
>> https://github.com/mikecardwell/https-everywhere/commit/34dfd42ed82d41a02cbc290f96326caac932739a
>>
>> Please pull it.
>>
>> However, I noticed one strange thing... The ruleset contains:
>>
>> <securecookie host="^(.+\.)?national-lottery\.co\.uk$" name=".*"/>
>>
>> I viewed the cookies after logging in and noticed that while most were
>> secure, a couple weren't (according to the "Web Developer" Firefox
>> addon). The ones which were secure all had the "Host" value set to
>> "www.national-lottery.co.uk", but the two which weren't had slightly
>> different Host headers both starting with a ".", ie:
>>
>> .www.national-lottery.co.uk
>> .national-lottery.co.uk
>>
>> Is something broken?
>>
>> Actually, it's just occurred to me. Does the securecookie tag work for
>> cookies that are created using JavaScript or does it merely affect those
>> set via HTTP headers?
>>
>> --
>> Mike Cardwell https://secure.grepular.com/ https://twitter.com/mickeyc
>> Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
>> PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
>>
>
>
>
>> _______________________________________________
>> HTTPS-everywhere mailing list
>> HTTPS-everywhere at mail1.eff.org
>> https://mail1.eff.org/mailman/listinfo/https-everywhere
>
>
--
Mike Cardwell https://secure.grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101226/c8bfc8c2/attachment.sig>
More information about the HTTPS-everywhere
mailing list