[HTTPS-Everywhere] Facebook issues

Sun May 8 21:46:58 PDT 2011

I haven’t really had time to look at this properly since Facebook got
serious about HTTPS, but I wrote my own rules that both redirect EVERYTHING
to https and make ALL cookies secure on ALL subdomains on facebook.com (and
facebook.net and fbcdn.net) and I haven’t noticed any problems. I don’t
understand what the fuss is about now.

On Fri, May 6, 2011 at 1212 (UTC-7), Peter Eckersley <pde at eff.org> wrote:

> Sounds like we need an update to cover those Facebook subdomains, but the
> deeper issue is that the Facebook cookies are not flagged as secure.  There
> are two things that you can do about this: (1) enable the optional
> Facebook+
> rule (which flags the cookies as secure but may break some things) or (2)
> turn
> on the "always use HTTPS" setting in your Facebook account.  Ideally you
> should do both.
>
> As Facebook gradually fixes bugs in their HTTPS deployment, hopefully we
> can
> move towards merging the <securecookie> rules from the Facebook+ ruleset
> into the
> default one.
>
> On Fri, May 06, 2011 at 09:05:00AM -0700, Rebecca S. Reagan wrote:
> >
> >
> > Rebecca S. Reagan
> > Intake Coordinator
> > Electronic Frontier Foundation
> > (415)436-9333 Ext. 135
> > Become a Member! https://www.eff.org/support
> >
> >
> > -------- Original Message --------
> > Subject:      URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere
> ---
> > RE: HTTPS Everywhere doesn't cover all Facebook sub domains
> > Date:         Fri, 6 May 2011 14:42:26 +0000
> > From:         Decime, Jerry (IT Security) <jerry.decime at hp.com>
> > To:   Rebecca Reagan <rsreagan at eff.org>
> >
> >
> >
> > Rebecca,
> >
> > In addition to the ongoing issues with HTTPS Everywhere not actually
> > providing protection when visiting Facebook, it recently performed an
> > update for which I was able to get into the middle and push my own code
> > (to my own environment) rather than the actual update code from
> > www.eff.org. This was possible because it made an update request here:
> >
> > https://www.eff.org/files/https-everywhere-update.rdf
> >
> > It was then possible to modify the code location and signature:
> >
> > <RDF:Description RDF:about="rdf:#$ybGCJ1"
> > NS1:id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}" NS1:minVersion="3.5"
> > NS1:maxVersion="4.*"
> > NS1:updateLink="https://www.eff.org/files/https-everywhere-0.9.6.xpi"
> > NS1:updateHash="sha1:31f800d2b1d15e994cdea0fbf0fdd72cf50c03b5"/>
> >
> > This was possible because www.eff.org <http://www.eff.org> is STILL
> > USING the non secure SSLv2 protocol:
> >
> > https://www.eff.org/files/https-everywhere-update.rdf
> >
> > PLEASE! Remove SSLv2 support & get this fixed ASAP!
> >
> > Thanks,
> >
> > Jerry Decime
> >
> > Senior Security Strategist
> >
> > Hewlett-Packard
> >
> > *From:* Rebecca Reagan [mailto:rsreagan at eff.org]
> > *Sent:* Tuesday, November 16, 2010 5:30 PM
> > *To:* Decime, Jerry (IT Security)
> > *Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
> >
> > Dear Jerry,
> >
> > Thank you for sending us follow up information. Our technologists are
> > aware of the methods you're describing and are considering various ways
> > to address the problems.
> >
> > Again, thank you,
> >
> > Rebecca S. Reagan
> >
> >
> > On 11/16/10 3:35 PM, Decime, Jerry (IT Security) wrote:
> >
> > Release version 0.2.2. Also note that I’ve found that third-parties to
> > Facebook sometime fail to protect Facebook OAuth credentials with HTTPS
> > so the picture starts to look a bit bleak when it comes to locking down
> > the entire Facebook experience. Unfortunately it really does come down
> > to architecting applications correctly to begin with.
> >
> > BTW, it’s really easy to test this plug-in by simply having all HTTP
> > traffic traverse The Fiddler2 & then watch and inspect any HTTP traffic
> > you might see. Optionally, you can also write a Fiddler2 rule to alert
> > you if it finds a pre-defined chunk of text. This is helpful for
> > automatically finding matches on session info and OAuth tokens.
> >
> > Let me know if you need additional information or help.
> >
> > Thanks,
> >
> > Jerry Decime
> > Senior Security Strategist
> >
> > Hewlett-Packard
> >
> > *From:* Rebecca Reagan [mailto:rsreagan at eff.org]
> > *Sent:* Tuesday, November 16, 2010 4:29 PM
> > *To:* Decime, Jerry (IT Security)
> > *Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
> >
> > Dear Jerry,
> >
> > Thank you for contacting the Electronic Frontier Foundation (EFF) with
> > your concerns. Do you know if you are using the release version of the
> > software, or the more aggressive development version? That would be
> > helpful information for us. We are working to close the gaps and
> > appreciate information of this nature.
> >
> > Should you be interested in more information on HTTPS Everywhere, please
> > see the FAQ at http://www.eff.org/https-everywhere/faq or consider
> > joining the HTTPS Everywhere mailing list
> > https://falcon.eff.org/mailman/listinfo/https-everywhere.
> >
> > Again, thank you for your conscientious work and for sharing the
> > information with us.
> >
> > Yours,
> >
> > Rebecca S. Reagan
> > Intake Coordinator
> >
> > On 11/16/10 12:43 PM, Decime, Jerry (IT Security) wrote:
> >
> > Attached is an HTTP capture using “The Fiddler2” which shows that your
> > HTTPS Everywhere plug-in for Firefox clearly does not guard against the
> > capture of session keys on Facebook since it doesn’t enforce HTTPS for
> > all sub domains containing sensitive session information. In the capture
> > file please reference requests for:
> >
> > _http://apps.facebook.com_
> >
> > _http://static.ak.connect.facebook.com _
> >
> > _http://pixel.facebook.com _
> >
> > I confirmed that the cookies available via these sub domains include
> > Facebook session information which could be used to authenticate a
> > session as the user:
> >
> >  From www.facebook.com <http://www.facebook.com> which is over HTTPS and
> > protected -> Cookie:
> > datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
> > lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
> > sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
> >
> >  From apps.facebook.com which is over HTTP and not protected & confirms
> > the possibility of session hijack -> Cookie:
> > datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
> > lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
> > sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
> >
> > I downloaded the plug-in today, just before testing & installed it in a
> > browser which has never had the plug-in installed (using Firefox
> > 3.6.12). It enforces HTTPS elsewhere on Facebook, but not all sub
> > domains as shown in the attached capture.
> >
> > Thanks,
> >
> > Jerry Decime
> >
> > Senior Security Strategist
> >
> > Hewlett-Packard
> >
> > _______________________________________________
> > HTTPS-everywhere mailing list
> > HTTPS-everywhere at mail1.eff.org
> > https://mail1.eff.org/mailman/listinfo/https-everywhere
>
> --
> Peter Eckersley                            pde at eff.org
> Senior Staff Technologist         Tel  +1 415 436 9333 x131
> Electronic Frontier Foundation    Fax  +1 415 436 9993
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
>

--
Brian Drake

Alternate (slightly less secure) e-mail: brian at drakefamily.tk
Alternate (old) e-mail: brianriab at gmail.com

Facebook profile: Profile ID
100001669405117<https://ssl.facebook.com/profile.php?id=100001669405117>
Twitter username: BrianJDrake <https://twitter.com/BrianJDrake>
Wikimedia project username:
Brianjd<https://secure.wikimedia.org/wikipedia/meta/wiki/User:Brianjd>(been
inactive for a while)

All content created by me
Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>©
2010–2011 Brian Drake. All rights reserved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20110509/8be69cd5/attachment.html>