[tor-bugs] #7454 [EFF-HTTPS Everywhere]: Active rules list doesn't indicate effects of securecookie if no URL rewrite took place

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Nov 12 08:09:06 UTC 2012


#7454: Active rules list doesn't indicate effects of securecookie if no URL
rewrite took place
----------------------------------+-----------------------------------------
 Reporter:  schoen                |          Owner:  pde     
     Type:  defect                |         Status:  accepted
 Priority:  normal                |      Milestone:          
Component:  EFF-HTTPS Everywhere  |        Version:          
 Keywords:                        |         Parent:          
   Points:                        |   Actualpoints:          
----------------------------------+-----------------------------------------
Changes (by pde):

  * status:  new => accepted


Comment:

 The code that implements the <securecookie> element
 [https://gitweb.torproject.org/https-
 everywhere.git/blob/HEAD:/src/chrome/content/code/HTTPSRules.js#l546 does
 try to display this fact] in the context menu.  The problem is that it
 only happens when the cookie is first secured.  There may be no later
 indication that a cookie in the page was secured by HTTPS Everywhere if
 HTTPS Everywhere has nothing else to change in that page, and there may be
 no indication that a cookie is ''missing'' from an HTTP page because a
 past securecookie intervention.  I think these are probably fixable,
 though it will be tricky work.

 It is also the case that disabling a ruleset won't go and ''remove'' the
 securecookie flag from all of the cookies it was set on, since that
 operation itself could cause potentially cause insecurity.  Although
 perhaps it's the lesser of two evils...

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7454#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list