[HTTPS-Everywhere] Facebook issues

Peter Eckersley pde at eff.org
Fri May 6 12:12:06 PDT 2011 

Sounds like we need an update to cover those Facebook subdomains, but the
deeper issue is that the Facebook cookies are not flagged as secure.  There
are two things that you can do about this: (1) enable the optional Facebook+
rule (which flags the cookies as secure but may break some things) or (2) turn
on the "always use HTTPS" setting in your Facebook account.  Ideally you
should do both.

As Facebook gradually fixes bugs in their HTTPS deployment, hopefully we can
move towards merging the <securecookie> rules from the Facebook+ ruleset into the
default one.

On Fri, May 06, 2011 at 09:05:00AM -0700, Rebecca S. Reagan wrote:
> 
> 
> Rebecca S. Reagan
> Intake Coordinator
> Electronic Frontier Foundation
> (415)436-9333 Ext. 135
> Become a Member! https://www.eff.org/support
> 
> 
> -------- Original Message --------
> Subject: 	URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere ---
> RE: HTTPS Everywhere doesn't cover all Facebook sub domains
> Date: 	Fri, 6 May 2011 14:42:26 +0000
> From: 	Decime, Jerry (IT Security) <jerry.decime at hp.com>
> To: 	Rebecca Reagan <rsreagan at eff.org>
> 
> 
> 
> Rebecca,
> 
> In addition to the ongoing issues with HTTPS Everywhere not actually
> providing protection when visiting Facebook, it recently performed an
> update for which I was able to get into the middle and push my own code
> (to my own environment) rather than the actual update code from
> www.eff.org. This was possible because it made an update request here:
> 
> https://www.eff.org/files/https-everywhere-update.rdf
> 
> It was then possible to modify the code location and signature:
> 
> <RDF:Description RDF:about="rdf:#$ybGCJ1"
> NS1:id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}" NS1:minVersion="3.5"
> NS1:maxVersion="4.*"
> NS1:updateLink="https://www.eff.org/files/https-everywhere-0.9.6.xpi"
> NS1:updateHash="sha1:31f800d2b1d15e994cdea0fbf0fdd72cf50c03b5"/>
> 
> This was possible because www.eff.org <http://www.eff.org> is STILL
> USING the non secure SSLv2 protocol:
> 
> https://www.eff.org/files/https-everywhere-update.rdf
> 
> PLEASE! Remove SSLv2 support & get this fixed ASAP!
> 
> Thanks,
> 
> Jerry Decime
> 
> Senior Security Strategist
> 
> Hewlett-Packard
> 
> *From:* Rebecca Reagan [mailto:rsreagan at eff.org]
> *Sent:* Tuesday, November 16, 2010 5:30 PM
> *To:* Decime, Jerry (IT Security)
> *Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
> 
> Dear Jerry,
> 
> Thank you for sending us follow up information. Our technologists are
> aware of the methods you're describing and are considering various ways
> to address the problems.
> 
> Again, thank you,
> 
> Rebecca S. Reagan
> 
> 
> On 11/16/10 3:35 PM, Decime, Jerry (IT Security) wrote:
> 
> Release version 0.2.2. Also note that I’ve found that third-parties to
> Facebook sometime fail to protect Facebook OAuth credentials with HTTPS
> so the picture starts to look a bit bleak when it comes to locking down
> the entire Facebook experience. Unfortunately it really does come down
> to architecting applications correctly to begin with.
> 
> BTW, it’s really easy to test this plug-in by simply having all HTTP
> traffic traverse The Fiddler2 & then watch and inspect any HTTP traffic
> you might see. Optionally, you can also write a Fiddler2 rule to alert
> you if it finds a pre-defined chunk of text. This is helpful for
> automatically finding matches on session info and OAuth tokens.
> 
> Let me know if you need additional information or help.
> 
> Thanks,
> 
> Jerry Decime
> Senior Security Strategist
> 
> Hewlett-Packard
> 
> *From:* Rebecca Reagan [mailto:rsreagan at eff.org]
> *Sent:* Tuesday, November 16, 2010 4:29 PM
> *To:* Decime, Jerry (IT Security)
> *Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
> 
> Dear Jerry,
> 
> Thank you for contacting the Electronic Frontier Foundation (EFF) with
> your concerns. Do you know if you are using the release version of the
> software, or the more aggressive development version? That would be
> helpful information for us. We are working to close the gaps and
> appreciate information of this nature.
> 
> Should you be interested in more information on HTTPS Everywhere, please
> see the FAQ at http://www.eff.org/https-everywhere/faq or consider
> joining the HTTPS Everywhere mailing list
> https://falcon.eff.org/mailman/listinfo/https-everywhere.
> 
> Again, thank you for your conscientious work and for sharing the
> information with us.
> 
> Yours,
> 
> Rebecca S. Reagan
> Intake Coordinator
> 
> On 11/16/10 12:43 PM, Decime, Jerry (IT Security) wrote:
> 
> Attached is an HTTP capture using “The Fiddler2” which shows that your
> HTTPS Everywhere plug-in for Firefox clearly does not guard against the
> capture of session keys on Facebook since it doesn’t enforce HTTPS for
> all sub domains containing sensitive session information. In the capture
> file please reference requests for:
> 
> _http://apps.facebook.com_
> 
> _http://static.ak.connect.facebook.com _
> 
> _http://pixel.facebook.com _
> 
> I confirmed that the cookies available via these sub domains include
> Facebook session information which could be used to authenticate a
> session as the user:
> 
>  From www.facebook.com <http://www.facebook.com> which is over HTTPS and
> protected -> Cookie:
> datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
> lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
> sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
> 
>  From apps.facebook.com which is over HTTP and not protected & confirms
> the possibility of session hijack -> Cookie:
> datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
> lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
> sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
> 
> I downloaded the plug-in today, just before testing & installed it in a
> browser which has never had the plug-in installed (using Firefox
> 3.6.12). It enforces HTTPS elsewhere on Facebook, but not all sub
> domains as shown in the attached capture.
> 
> Thanks,
> 
> Jerry Decime
> 
> Senior Security Strategist
> 
> Hewlett-Packard
> 
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere

-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list