[tbb-bugs] #13332 [Tor Browser]: Cannot log in to lang-8.com (SNS for language learners) using Tor Browser.

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Oct 4 13:30:11 UTC 2014

#13332: Cannot log in to lang-8.com (SNS for language learners) using Tor Browser.
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  noscript
Actual Points:               |  Parent ID:
       Points:               |

Comment (by cypherpunks):

 I think the problem is related to the NoScript SecureCookies ("Automatic
 Secure Cookie Management") feature.

 In Tor Browser, the preference noscript.secureCookies is true; if I set it
 to false in an otherwise unmodified Tor Browser (via about:config), I can
 successfully log in to Lang-8.

 Likewise, if I add lang-8.com to the list of SecureCookies exceptions via
 the GUI, as described in the [http://noscript.net/faq#qa6_5 NoScript FAQ],
 Lang-8 login also works (this modifies the
 noscript.secureCookiesExceptions preference).

 In upstream NoScript (or rather, the version packaged by Debian), the
 default value of noscript.secureCookies appears to be false, I guess that
 is why the problem doesn't occur with Firefox+NoScript.

 Judging by the NoScript FAQ entry linked above, the SecureCookies feature
 breaks logins to multiple sites. Requiring Tor Browsers users to set up
 their own exceptions in each case doesn't seem like a good idea, as that
 way each user would have a different set of exceptions, which could be
 used for fingerprinting. Maybe the best solution is to disable the
 SecureCookies feature in Tor Browser.

 Here is some background on the log in process to Lang-8:

 1. The login page (https://lang-8.com/login?from=header) itself is served
 via https.
 1. The login data is sent in a POST request via https
 1. the user is then redirected back to a http url (http://lang-8.com)

 I tested login in three scenarios, and observed the request using the
 built-in Firefox web developer tools (the network panel).

 === Unmodified Tor Browser (NoScript enabled):

 The browser sends 5 cookies in step 3, called `__utm{a,b,c,t,z}`.
 Log in to Lang-8 fails.

 === Tor Browser with NoScript disabled:

 The browser sends 8 cookies in step 3:

 `__utm{a,b,c,t,z}` as above.
 three additional cookies: `L8SESSID`, `_lang-8_rails_session`,
 Log in to Lang-8 succeeds.

 === Tor Browser with noscript.secureCookies set to false:

 The browser sends 8 cookies in step 3, as in the previous scenario.
 Log in to Lang-8 succeeds.

 It seems that the last three cookies contain the session data, and that
 the noscript.securecookies option prevents them from being set.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13332#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list