Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804,  |
  tbb-backported |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 Replying to [comment:25 sysrqb]:
 > Replying to [comment:24 sysrqb]:
 > > But this patch could be modified so the piece where URLs with a
 `.onion` TLD are marked as secure is uplifted and the piece where we rip
 out telemetry stuff is not uplifted.
 > Okay, removing the keyword. We should uplift the `.onion is secure`
 piece of this.

 Actually I think it's worth uplifting everything which means doing the
 telemetry part right instead of just removing it. I took the shortcut back
 then because we didn't and don't use telemetry anyway but there is no
 reason why this should not get fixed up while uplifting. To the contrary.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804,  |
  tbb-backported |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by sysrqb):

 * keywords:
 tbb-usability, TorBrowserTeam201804R, GeorgKoppen201804, tbb-
 backported, tbb-no-uplift
 =>
 tbb-usability, TorBrowserTeam201804R, GeorgKoppen201804, tbb-
 backported


Comment:

 Replying to [comment:24 sysrqb]:
 > But this patch could be modified so the piece where URLs with a `.onion`
 TLD are marked as secure is uplifted and the piece where we rip out
 telemetry stuff is not uplifted.
 Okay, removing the keyword. We should uplift the `.onion is secure` piece
 of this.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804,  |
  tbb-backported, tbb-no-uplift  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by sysrqb):

 * keywords:
 tbb-usability, TorBrowserTeam201804R, GeorgKoppen201804, tbb-
 backported
 =>
 tbb-usability, TorBrowserTeam201804R, GeorgKoppen201804, tbb-
 backported, tbb-no-uplift


Comment:

 But this patch could be modified so the piece where URLs with a `.onion`
 TLD are marked as secure is uplifted and the piece where we rip out
 telemetry stuff is not uplifted.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804,  |
  tbb-backported |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-usability, TorBrowserTeam201804R, GeorgKoppen201804, tbb-
 backport =>
 tbb-usability, TorBrowserTeam201804R, GeorgKoppen201804, tbb-
 backported


Comment:

 Backported to `tor-browser-52.8.0esr-7.5-1` (commit
 1f33ee1778b0ad0f696977fbcbae67f72d34b99f).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804,  |
  tbb-backport   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-usability, TorBrowserTeam201804R, GeorgKoppen201804 =>
 tbb-usability, TorBrowserTeam201804R, GeorgKoppen201804, tbb-backport


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:  closed
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_review => closed
 * resolution:   => fixed


Comment:

 Thanks! Applied to `tor-browser-57.3.0esr-8.0-1` (commits
 c70454fd10efeb9f4cabc69f94a9a7a633c10174 and
 82cd8ae9a5de7c9f9fde591c29b0ccfa8b59d42f).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 Replying to [comment:19 pospeselr]:
 > Looks good to me!

 Me too!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by pospeselr):

 Looks good to me!

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: tbb-team (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  assigned => needs_review
 * keywords:  tbb-usability, TorBrowserTeam201804, GeorgKoppen201804 => tbb-
 usability, TorBrowserTeam201804R, GeorgKoppen201804


Comment:

 Okay, how is `bug_21537_v4` (https://gitweb.torproject.org/user/gk/tor-
 browser.git/log/?h=bug_21537_v4)? Returning a boolean value made this
 slightly more complicated as we actually have more than two values to
 consider due to the telemtry part. But as we don't want to have the latter
 anyway, I just ripped it out. We can revisit that when we think we want to
 upstream that patch but that's a bit in the future as I am not sure
 whether Mozilla would take it right now anyway. There is no easy way
 around the HTTPS = secure equation for cookies I am afraid...

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  gk
 Type:  enhancement  | Status:
 |  assigned
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804, GeorgKoppen201804|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  needs_review => assigned
 * owner:  tbb-team => gk
 * keywords:  tbb-usability, TorBrowserTeam201804R, GeorgKoppen201804 =>
 tbb-usability, TorBrowserTeam201804, GeorgKoppen201804


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by pospeselr):

 Replying to [comment:14 arthuredelstein]:
 > Replying to [comment:13 gk]:
 > > Replying to [comment:12 pospeselr]:
 > > > Change looks good, only thing I'd suggest is moving the block at
 3340 a couple lines up before the Telemetry::Accumulate call ( since the
 enum seems to be a question of cookie security, rather than http(s) ).
 > > >
 > > > I also verified the hostURI that's passed in is already normalized,
 so we don't have to worry about case insensitive string compare.
 > >
 > > Thanks. I added the suggested change in `bug_21537_v3`
 (https://gitweb.torproject.org/user/gk/tor-
 browser.git/log/?h=bug_21537_v3). Let me know if that still looks good.
 >
 > The code looks good to me, but I would suggest factoring out the
 security checks (which are repeated in three places) by creating a static
 function like:
 > `bool IsSecureHost(nsIURI *aHostURI)`
 > that returns true for both https and .onion URIs.

 Yeah I'd agree with this.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 Replying to [comment:13 gk]:
 > Replying to [comment:12 pospeselr]:
 > > Change looks good, only thing I'd suggest is moving the block at 3340
 a couple lines up before the Telemetry::Accumulate call ( since the enum
 seems to be a question of cookie security, rather than http(s) ).
 > >
 > > I also verified the hostURI that's passed in is already normalized, so
 we don't have to worry about case insensitive string compare.
 >
 > Thanks. I added the suggested change in `bug_21537_v3`
 (https://gitweb.torproject.org/user/gk/tor-
 browser.git/log/?h=bug_21537_v3). Let me know if that still looks good.

 The code looks good to me, but I would suggest factoring out the repeated
 security checks by creating a static function like:
 `bool IsSecureHost(nsIURI *aHostURI)`
 that returns true for both https and .onion URIs.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: pospeselr, mcs, brade, arthuredelstein, sysrqb, igt0 (added)


Comment:

 Replying to [comment:12 pospeselr]:
 > Change looks good, only thing I'd suggest is moving the block at 3340 a
 couple lines up before the Telemetry::Accumulate call ( since the enum
 seems to be a question of cookie security, rather than http(s) ).
 >
 > I also verified the hostURI that's passed in is already normalized, so
 we don't have to worry about case insensitive string compare.

 Thanks. I added the suggested change in `bug_21537_v3`
 (https://gitweb.torproject.org/user/gk/tor-
 browser.git/log/?h=bug_21537_v3). Let me know if that still looks good.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by pospeselr):

 Change looks good, only thing I'd suggest is moving the block at 3340 a
 couple lines up before the Telemetry::Accumulate call ( since the enum
 seems to be a question of cookie security, rather than http(s) ).

 I also verified the hostURI that's passed in is already normalized, so we
 don't have to worry about case insensitive string compare.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:
 |  needs_review
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804R, GeorgKoppen201804   |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  new => needs_review
 * keywords:  tbb-usability, TorBrowserTeam201804, GeorgKoppen201804 => tbb-
 usability, TorBrowserTeam201804R, GeorgKoppen201804


Comment:

 Okay, `bug_21537` (https://gitweb.torproject.org/user/gk/tor-
 browser.git/log/?h=bug_21537) in my public tor browser repo has two
 patches for review:

 1) The code changes (commit f346f7368523c296a1363247dd78b173a524fad8)
 2) Updated cookie tests (commit 106d99883dca2c8906b4cb5cc56931ded33f0a3e)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201804, GeorgKoppen201804|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-usability, TorBrowserTeam201803, GeorgKoppen201803 => tbb-
 usability, TorBrowserTeam201804, GeorgKoppen201804


Comment:

 Replying to [comment:9 micah]:
 > To test this, I've set up a test site.
 >
 > In a current (broken) TBB browser visit the following page:
 >
 > http://cookie.revolt.org
 >
 > You will see 'no cookie value set, refresh the page'. If you refresh the
 page, while on http, the cookie value will continue to *not* be set. That
 is because of secure cookies, and the connection not being on https. This
 is expected.
 >
 > Now, visit https://cookie.revolt.org and then refresh the page, you will
 see a cookie value set.
 >
 > Now click the 'reset cookies' link, and visit the onion link and refresh
 the page. You will see the behavior is exactly the same as the http
 connection, no cookie value gets set.
 >
 > If TBB is fixed, then when you visit the onion link and refresh the
 page, it will set a cookie and show that it is set, just like in the https
 case above.

 Thanks for this test setup! I spent part of my Easter holidays coming up
 with a patch and tests for it. It seems I have something that fixes this
 bug without breaking anything else (so far). I'll clean up my patch a bit
 and post the patch for review shortly. I think it might make it into the
 next alpha for further testing.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201803, GeorgKoppen201803|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by micah):

 To test this, I've set up a test site.

 In a current (broken) TBB browser visit the following page:

 http://cookie.revolt.org

 You will see 'no cookie value set, refresh the page'. If you refresh the
 page, while on http, the cookie value will continue to *not* be set. That
 is because of secure cookies, and the connection not being on https. This
 is expected.

 Now, visit https://cookie.revolt.org and then refresh the page, you will
 see a cookie value set.

 Now click the 'reset cookies' link, and visit the onion link and refresh
 the page. You will see the behavior is exactly the same as the http
 connection, no cookie value gets set.

 If TBB is fixed, then when you visit the onion link and refresh the page,
 it will set a cookie and show that it is set, just like in the https case
 above.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
-+-
 Reporter:  micah|  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-usability,   |  Actual Points:
  TorBrowserTeam201803, GeorgKoppen201803|
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-usability => tbb-usability, TorBrowserTeam201803,
 GeorgKoppen201803


Comment:

 Replying to [comment:4 gk]:
 > I am fine with testing the "Ignore secure cookie flags for
 .onions"-idea.

 Or make .onions just work with secure cookies by not only checking for
 "https" but ".onion" as well.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
--+--
 Reporter:  micah |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-usability |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by strugee):

 * cc: alex@… (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
--+--
 Reporter:  micah |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-usability |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Replying to [comment:5 cypherpunks]:
 > {{{ff52-esr-will-have}}}?
 > https://bugzilla.mozilla.org/show_bug.cgi?id=976073

 Upon a cursory read of that bug it occurs to me it fixes an orthogonal
 issue but not this bug.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
--+--
 Reporter:  micah |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-usability |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 {{{ff52-esr-will-have}}}?
 https://bugzilla.mozilla.org/show_bug.cgi?id=976073

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
--+--
 Reporter:  micah |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-usability |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * keywords:  secure cookies => tbb-usability


Comment:

 I am fine with testing the "Ignore secure cookie flags for .onions"-idea.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
--+--
 Reporter:  micah |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  secure cookies|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 This is issue is also relevant to tpo's internal services, such as Trac
 (see #19963).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
--+--
 Reporter:  micah |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  secure cookies|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by micah):

 * version:  Tor: unspecified =>


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
--+--
 Reporter:  micah |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:  Tor: unspecified
 Severity:  Normal| Resolution:
 Keywords:  secure cookies|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Description changed by micah:

Old description:

> Its hard to setup onion services because you need to enable secure
> cookies some times and disable them other times. Right now you have to
> make a trade-off: work well with .onions, or work well with everyone
> else. One of the main problem points has been secure cookies.
>
> The idea of "secure cookies" is that they prevent you from leaking your
> cookie information over an insecure connection. There are a lot of ways
> you can leak your cookie info over an insecure connection:
>
> . dont have hsts setup
> . running an application server that sets the cookie before it redirects
> to https
> . or your server is not setup to redirect everything to https
>
> Using "secure cookies" allows the application (regardless of how it is
> run, or what intermediaries are in between), to make sure that the
> browser doesn't screw this up. It tells the browser to never submit the
> cookie over plaintext. Many frameworks have this set by default (such as
> Rails). Some applications, such as java/tomcat have as part of the stack
> the cookie setting that happens before that does the redirect to https.
>
> It is considered a best practice that every web developer is told to do,
> but its a best practice that doesn't work if you want to run an onion
> site. Running an onion site should not force you to violate established
> web application development best practices.
>
> The "secure cookies" spec is just a "suggestion" to the browser, so TBB
> is free to ignore them, and I think that maybe it should do so for .onion
> sites.
>
> As an example, if a user goes to https://example.com the first response
> back sends back a cookie with nothing but a session id. If you then
> login, you now have a sessionid that is privileged and associated with
> your account. If you then close that tab, but then realize you needed to
> do something else, so you open a new tab and go to http://example.com
> (NB: no https). If the site did not mark the original cookies as
> 'secure', then the browser will submit in that initial first request the
> cookie it had previously saved and it will send it over the cleartext
> channel before the webserver can redirect to the secured site. With the
> secure cookies flag set, the browser will not send the cookie until the
> TLS connection is up. This doesn't matter if you are going over onion
> services because the connection is already wrapped in TLS, and it also
> doesn't matter if the site has HSTS, because the second visit will go to
> https by default in that scenario.
>
> So what are the options?
>
> . Ignore secure cookie flags for .onions
> . Ignore tls verification for onions
>
> Either one would increase the security properties of onion and non
> onions, unfortunately the second one would not be appreciated by sites
> that have actually paid for a valid .onion cert.
>
> Pretty much every Rails application suffers with TBB because of this
> problem, I'm pretty sure other frameworks also suffer from this. Fixing
> this would fix a large number of tor problems related to this.
>
> I'm unsure of the broader implications of this, which is why I wanted to
> open this for discussion.

New description:

 One of the main problem points with adding onion services to existing web
 services has been interaction with secure cookies. Its hard to setup onion
 services because you need to enable secure cookies some times (over
 regular network+TLS) and disable them other times (over .onion network,
 without TLS). Right now you have to make a trade-off: work well with
 .onions, or work well with everyone else. This is an unfortunate trade-
 off.

 It is considered a best practice that every web developer is told to do,
 but its a best practice that doesn't work if you want to run an onion
 site. Running an onion site should not force you to violate established
 web application development best practices.

 The idea of "secure cookies" is that they prevent you from leaking your
 cookie information over an insecure connection. There are a lot of ways
 you can leak your cookie info over an insecure connection:

 . dont have hsts setup
 . running an application server that sets the cookie before it redirects
 to https
 . or your server is not setup to redirect everything to https

 Using 

[tor-bugs] #21537 [Applications/Tor Browser]: Consider ignoring secure cookies for .onion addresses

[Tor Bug Tracker & Wiki]

#21537: Consider ignoring secure cookies for .onion addresses
--+--
 Reporter:  micah |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:  Tor: unspecified
 Severity:  Normal|   Keywords:  secure cookies
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+--
 Its hard to setup onion services because you need to enable secure cookies
 some times and disable them other times. Right now you have to make a
 trade-off: work well with .onions, or work well with everyone else. One of
 the main problem points has been secure cookies.

 The idea of "secure cookies" is that they prevent you from leaking your
 cookie information over an insecure connection. There are a lot of ways
 you can leak your cookie info over an insecure connection:

 . dont have hsts setup
 . running an application server that sets the cookie before it redirects
 to https
 . or your server is not setup to redirect everything to https

 Using "secure cookies" allows the application (regardless of how it is
 run, or what intermediaries are in between), to make sure that the browser
 doesn't screw this up. It tells the browser to never submit the cookie
 over plaintext. Many frameworks have this set by default (such as Rails).
 Some applications, such as java/tomcat have as part of the stack the
 cookie setting that happens before that does the redirect to https.

 It is considered a best practice that every web developer is told to do,
 but its a best practice that doesn't work if you want to run an onion
 site. Running an onion site should not force you to violate established
 web application development best practices.

 The "secure cookies" spec is just a "suggestion" to the browser, so TBB is
 free to ignore them, and I think that maybe it should do so for .onion
 sites.

 As an example, if a user goes to https://example.com the first response
 back sends back a cookie with nothing but a session id. If you then login,
 you now have a sessionid that is privileged and associated with your
 account. If you then close that tab, but then realize you needed to do
 something else, so you open a new tab and go to http://example.com (NB: no
 https). If the site did not mark the original cookies as 'secure', then
 the browser will submit in that initial first request the cookie it had
 previously saved and it will send it over the cleartext channel before the
 webserver can redirect to the secured site. With the secure cookies flag
 set, the browser will not send the cookie until the TLS connection is up.
 This doesn't matter if you are going over onion services because the
 connection is already wrapped in TLS, and it also doesn't matter if the
 site has HSTS, because the second visit will go to https by default in
 that scenario.

 So what are the options?

 . Ignore secure cookie flags for .onions
 . Ignore tls verification for onions

 Either one would increase the security properties of onion and non onions,
 unfortunately the second one would not be appreciated by sites that have
 actually paid for a valid .onion cert.

 Pretty much every Rails application suffers with TBB because of this
 problem, I'm pretty sure other frameworks also suffer from this. Fixing
 this would fix a large number of tor problems related to this.

 I'm unsure of the broader implications of this, which is why I wanted to
 open this for discussion.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs