[HTTPS-Everywhere] Microsoft.com/security/ exclusion needed
Peter Eckersley
pde at eff.org
Mon Oct 18 10:45:02 PDT 2010
On Mon, Oct 18, 2010 at 10:16:45AM -0700, Chris Palmer wrote:
> > I wonder if this was intended as some kind of anti-clickjacking measure or
> > as a defense against cookie theft via mixed content? In the former case it
> > seems broken; in the latter case perhaps not.
>
> Defeating clickjacking is quite hard indeed, and most such mechanisms are
> broken.
Yes, but we should remain vigilant for problems with framebusting JS that uses
hardcoded http:// destinations.
> I also doubt it's intended as any kind of cookie theft defense ---
> redirecting to unsafe transport is no way to stop cookie theft. :)
Are you sure? What if the cookie is flagged as secure, and is only to be sent
to genuinely secure portions of the site, while other portions of the site
have mixed content and therefore can't be trusted with the secure cookie? Of
course, if this were the theory, the redirect should have been a 302 rather
than a JavaScript redirect...
> I can't imagine what they are thinking. We should lobby them to change it so
> that HTTPS works.
Agreed. Do people think we should add an exclusion in the mean time?
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list