[HTTPS-Everywhere] Facebook issues

Peter Eckersley pde at eff.org
Mon May 9 08:15:03 PDT 2011 

Pages like https://www.facebook.com/editaccount.php?networks
remain broken unless users enable the "always use HTTPS" setting in the
Facebook account (which they should do, of course, but some won't, and others
will have it helpfully turned off permanently when they use certain apps).

On Mon, May 09, 2011 at 12:46:58PM +0800, Drake, Brian wrote:
> I haven’t really had time to look at this properly since Facebook got
> serious about HTTPS, but I wrote my own rules that both redirect EVERYTHING
> to https and make ALL cookies secure on ALL subdomains on facebook.com (and
> facebook.net and fbcdn.net) and I haven’t noticed any problems. I don’t
> understand what the fuss is about now.
> 
> On Fri, May 6, 2011 at 1212 (UTC-7), Peter Eckersley <pde at eff.org> wrote:
> 
> > Sounds like we need an update to cover those Facebook subdomains, but the
> > deeper issue is that the Facebook cookies are not flagged as secure.  There
> > are two things that you can do about this: (1) enable the optional
> > Facebook+
> > rule (which flags the cookies as secure but may break some things) or (2)
> > turn
> > on the "always use HTTPS" setting in your Facebook account.  Ideally you
> > should do both.
> >
> > As Facebook gradually fixes bugs in their HTTPS deployment, hopefully we
> > can
> > move towards merging the <securecookie> rules from the Facebook+ ruleset
> > into the
> > default one.
> >
> > On Fri, May 06, 2011 at 09:05:00AM -0700, Rebecca S. Reagan wrote:
> > >
> > >
> > > Rebecca S. Reagan
> > > Intake Coordinator
> > > Electronic Frontier Foundation
> > > (415)436-9333 Ext. 135
> > > Become a Member! https://www.eff.org/support
> > >
> > >
> > > -------- Original Message --------
> > > Subject:      URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere
> > ---
> > > RE: HTTPS Everywhere doesn't cover all Facebook sub domains
> > > Date:         Fri, 6 May 2011 14:42:26 +0000
> > > From:         Decime, Jerry (IT Security) <jerry.decime at hp.com>
> > > To:   Rebecca Reagan <rsreagan at eff.org>
> > >
> > >
> > >
> > > Rebecca,
> > >
> > > In addition to the ongoing issues with HTTPS Everywhere not actually
> > > providing protection when visiting Facebook, it recently performed an
> > > update for which I was able to get into the middle and push my own code
> > > (to my own environment) rather than the actual update code from
> > > www.eff.org. This was possible because it made an update request here:
> > >
> > > https://www.eff.org/files/https-everywhere-update.rdf
> > >
> > > It was then possible to modify the code location and signature:
> > >
> > > <RDF:Description RDF:about="rdf:#$ybGCJ1"
> > > NS1:id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}" NS1:minVersion="3.5"
> > > NS1:maxVersion="4.*"
> > > NS1:updateLink="https://www.eff.org/files/https-everywhere-0.9.6.xpi"
> > > NS1:updateHash="sha1:31f800d2b1d15e994cdea0fbf0fdd72cf50c03b5"/>
> > >
> > > This was possible because www.eff.org <http://www.eff.org> is STILL
> > > USING the non secure SSLv2 protocol:
> > >
> > > https://www.eff.org/files/https-everywhere-update.rdf
> > >
> > > PLEASE! Remove SSLv2 support & get this fixed ASAP!
> > >
> > > Thanks,
> > >
> > > Jerry Decime
> > >
> > > Senior Security Strategist
> > >
> > > Hewlett-Packard
> > >
> > > *From:* Rebecca Reagan [mailto:rsreagan at eff.org]
> > > *Sent:* Tuesday, November 16, 2010 5:30 PM
> > > *To:* Decime, Jerry (IT Security)
> > > *Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
> > >
> > > Dear Jerry,
> > >
> > > Thank you for sending us follow up information. Our technologists are
> > > aware of the methods you're describing and are considering various ways
> > > to address the problems.
> > >
> > > Again, thank you,
> > >
> > > Rebecca S. Reagan
> > >
> > >
> > > On 11/16/10 3:35 PM, Decime, Jerry (IT Security) wrote:
> > >
> > > Release version 0.2.2. Also note that I’ve found that third-parties to
> > > Facebook sometime fail to protect Facebook OAuth credentials with HTTPS
> > > so the picture starts to look a bit bleak when it comes to locking down
> > > the entire Facebook experience. Unfortunately it really does come down
> > > to architecting applications correctly to begin with.
> > >
> > > BTW, it’s really easy to test this plug-in by simply having all HTTP
> > > traffic traverse The Fiddler2 & then watch and inspect any HTTP traffic
> > > you might see. Optionally, you can also write a Fiddler2 rule to alert
> > > you if it finds a pre-defined chunk of text. This is helpful for
> > > automatically finding matches on session info and OAuth tokens.
> > >
> > > Let me know if you need additional information or help.
> > >
> > > Thanks,
> > >
> > > Jerry Decime
> > > Senior Security Strategist
> > >
> > > Hewlett-Packard
> > >
> > > *From:* Rebecca Reagan [mailto:rsreagan at eff.org]
> > > *Sent:* Tuesday, November 16, 2010 4:29 PM
> > > *To:* Decime, Jerry (IT Security)
> > > *Subject:* Re: HTTPS Everywhere doesn't cover all Facebook sub domains
> > >
> > > Dear Jerry,
> > >
> > > Thank you for contacting the Electronic Frontier Foundation (EFF) with
> > > your concerns. Do you know if you are using the release version of the
> > > software, or the more aggressive development version? That would be
> > > helpful information for us. We are working to close the gaps and
> > > appreciate information of this nature.
> > >
> > > Should you be interested in more information on HTTPS Everywhere, please
> > > see the FAQ at http://www.eff.org/https-everywhere/faq or consider
> > > joining the HTTPS Everywhere mailing list
> > > https://falcon.eff.org/mailman/listinfo/https-everywhere.
> > >
> > > Again, thank you for your conscientious work and for sharing the
> > > information with us.
> > >
> > > Yours,
> > >
> > > Rebecca S. Reagan
> > > Intake Coordinator
> > >
> > > On 11/16/10 12:43 PM, Decime, Jerry (IT Security) wrote:
> > >
> > > Attached is an HTTP capture using “The Fiddler2” which shows that your
> > > HTTPS Everywhere plug-in for Firefox clearly does not guard against the
> > > capture of session keys on Facebook since it doesn’t enforce HTTPS for
> > > all sub domains containing sensitive session information. In the capture
> > > file please reference requests for:
> > >
> > > _http://apps.facebook.com_
> > >
> > > _http://static.ak.connect.facebook.com _
> > >
> > > _http://pixel.facebook.com _
> > >
> > > I confirmed that the cookies available via these sub domains include
> > > Facebook session information which could be used to authenticate a
> > > session as the user:
> > >
> > >  From www.facebook.com <http://www.facebook.com> which is over HTTPS and
> > > protected -> Cookie:
> > > datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
> > > lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
> > > sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
> > >
> > >  From apps.facebook.com which is over HTTP and not protected & confirms
> > > the possibility of session hijack -> Cookie:
> > > datr=1254513682-574ca117e8bd2a567f4b89716f2001469c25bf54e2afd8912cd3d;
> > > lu=gg7I-qcyMqBuXz_2ipSNt3bg; c_user=100000117904896; sct=1288715876;
> > > sid=5; xs=5051d732d54e78705c9075aef52d8eaa; locale=en_US
> > >
> > > I downloaded the plug-in today, just before testing & installed it in a
> > > browser which has never had the plug-in installed (using Firefox
> > > 3.6.12). It enforces HTTPS elsewhere on Facebook, but not all sub
> > > domains as shown in the attached capture.
> > >
> > > Thanks,
> > >
> > > Jerry Decime
> > >
> > > Senior Security Strategist
> > >
> > > Hewlett-Packard
> > >
> > > _______________________________________________
> > > HTTPS-everywhere mailing list
> > > HTTPS-everywhere at mail1.eff.org
> > > https://mail1.eff.org/mailman/listinfo/https-everywhere
> >
> > --
> > Peter Eckersley                            pde at eff.org
> > Senior Staff Technologist         Tel  +1 415 436 9333 x131
> > Electronic Frontier Foundation    Fax  +1 415 436 9993
> > _______________________________________________
> > HTTPS-everywhere mailing list
> > HTTPS-everywhere at mail1.eff.org
> > https://mail1.eff.org/mailman/listinfo/https-everywhere
> >
> 
> --
> Brian Drake
> 
> Alternate (slightly less secure) e-mail: brian at drakefamily.tk
> Alternate (old) e-mail: brianriab at gmail.com
> 
> Facebook profile: Profile ID
> 100001669405117<https://ssl.facebook.com/profile.php?id=100001669405117>
> Twitter username: BrianJDrake <https://twitter.com/BrianJDrake>
> Wikimedia project username:
> Brianjd<https://secure.wikimedia.org/wikipedia/meta/wiki/User:Brianjd>(been
> inactive for a while)
> 
> All content created by me
> Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html> 2010–2011 Brian Drake. All rights reserved.

-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list