[tor-bugs] #11295 [Applications/Tor Browser]: Users cannot log into LycosMail

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 22 04:50:31 UTC 2017


#11295: Users cannot log into LycosMail
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-usability-website, needs-triage  |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by cypherpunks):

 * severity:   => Normal


Comment:

 A user joined IRC pointing to this bug and a similar one they were
 experiencing on an unrelated service.

 Both Lycos and the other service send their login page over http
 (aaaargh).

 The user reported that disabling NoScript resolved the issue, with the
 users help I was able to reproduce the issue and confirm NoScript was the
 source. I noticed that when NoScript was enabled cookies that had been
 issued over https would not be send over http, resulting in it constantly
 forcing the user back to the login page, securely, where upon the cookies
 were sent...putting them back to square one.

 The issue stems from the sites issuance of cookies "securely" then
 returning to http and NoScript's policy for "Secure Cookies Management".

 **Work Around**

 By going into NoScript -> Options -> Advanced -> HTTPS -> Cookies and
 setting appropriate exceptions under "Ignore unsafe cookies set over HTTPS
 by the following sites", they were able to successfully login to the
 services.

 I'd recommend not using these services, however, since they have some
 clearly problematic security holes.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11295#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list