[tor-bugs] #7217 [EFF-HTTPS Everywhere]: Facebook App Confusion

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Oct 26 21:52:54 UTC 2012 

#7217: Facebook App Confusion
-------------------------------------+--------------------------------------
    Reporter:  Blackfire667          |       Owner:  pde                 
        Type:  defect                |      Status:  closed              
    Priority:  normal                |   Milestone:                      
   Component:  EFF-HTTPS Everywhere  |     Version:  HTTPS-E 3.0.2       
  Resolution:  fixed                 |    Keywords:  facebook, app, https
      Parent:                        |      Points:                      
Actualpoints:                        |  
-------------------------------------+--------------------------------------
Changes (by pde):

  * status:  new => closed
  * resolution:  => fixed


Comment:

 The reason you saw the Facebook login screen might be the securecookie
 attributes in the [https://gitweb.torproject.org/https-
 everywhere.git/blob/3.0:/src/chrome/content/rules/FacebookApps.xml
 Facebook Apps ruleset].  HTTPS Everywhere is refusing to let your Facebook
 cookies be sent over HTTP, and you needed to disable the ruleset and then
 logout or restart the browser to change that.

 I'm inclined to mark this as wontfix.  We want to keep people's Facebook
 accounts secure by default, and if there's a weird janky old app that
 cannot function without making your entire FB account vulnerable to cookie
 theft, you should need to do something active (disabling the Facebook Apps
 ruleset) to signal that you really want to remove the security protection.

 Also be aware that in HTTPS Everywhere 4+, the Facebook and Facebook Apps
 rulesets will probably be merged, so users will probably have to disable
 Facebook protection entirely to run apps like this.

 Having said all of this, if you can write a ruleset patch which fixes
 Nations without weakening Facebook security overall, we might consider
 applying it.  The documentation for the ruleset formats is
 [https://eff.org/https-everywhere/rulesets here]; Live HTTP Headers is a
 good diagnostic tool to start with.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7217#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list