[tor-bugs] #8406 [EFF-HTTPS Everywhere]: Quantcast Ruleset Breaks Tumblr Login - needs Update/fixing

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 26 00:35:19 UTC 2013


#8406: Quantcast Ruleset Breaks Tumblr Login - needs Update/fixing
-------------------------------------+--------------------------------------
    Reporter:  cypherpunks           |       Owner:  pde               
        Type:  defect                |      Status:  reopened          
    Priority:  normal                |   Milestone:  HTTPS-E 3.1.5     
   Component:  EFF-HTTPS Everywhere  |     Version:                    
  Resolution:                        |    Keywords:  httpse-ruleset-bug
      Parent:                        |      Points:                    
Actualpoints:                        |  
-------------------------------------+--------------------------------------
Changes (by pde):

 * cc: dtauerbach, mikeperry, jmayer@… (added)


Comment:

 This is very interesting.  Seems like Quantserve might be doing secondary
 auth here or something.  Note the screen resolution that is being sentk to
 Quantcast's pixel!

 Anyway, the thing that stands out to me in the case where the ruleset is
 enabled and the login is breaking is that pixel.quantcast.com is trying to
 set a cookie three times, and it isn't being sent back to their server.
 Now, the Quantcast ruleset ''does'' have a securecookie element which can
 somtimes cause this kind of problem.  But in this case all the requests to
 Quantcast seem to be HTTPS, so I don't think that's it.

 Perhaps the cypherpunks who reported this are running some other extension
 that does cookie wrangling of some sort.  In any case, I'm going to
 disable the securecookie elements of this ruleset for 3.1.5.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8406#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list