Users cannot log into LycosMail

We got a report that logging into LycosMail is not working: https://blog.torproject.org/blog/tor-browser-bundle-35-released?page=1#comment-43008

added component::applications/tor browser needs-triage owner::tbb-team priority::medium resolution::wontfix severity::normal status::closed tbb-usability-website type::defect labels

Trac:
Keywords: N/A deleted, needs-triage added

Confirming the exact same error message quoted in the bug report cited in this ticket with the latest TBB alpha (MacOS 10.6.8, stock Tor Browser Bundle 4.0-alpha-1-MacOS with no additions or changes).

Upon attempting to log in to Lycos Mail, I first see a popup warning about the target page trying to access image data on a canvas. After a few seconds, this popup goes away on its own without any intervention. After that, I get to the Lycos Mail login page, submit username and password, and encounter the aforementioned circular redirection error.

The only workaround I've found so far is to completely disable NoScript under Tools>Add-ons, then restart TorBrowser. TBB's out-of-the-box default configuration (i.e. NoScript enabled but with the default "Allow Scripts Globally (dangerous)" setting) does not work -- it produces the error described above.

Additionally, page rendering on Lycos Mail is badly broken in this version of TBB, but I suspect that has more to do with the underlying Firefox ESR than with TBB itself.

Happy to test subsequent alpha builds if it would help.

-H

Trac:
Username: heywoodj123@yahoo.com

Bump. Behavior unchanged with TBB 4.0.3 (Firefox ESR 31.4.0) -- login still impossible (with the exact same circular redirection error) unless NoScript is disabled completely.

Again, glad to test any proposed alphas/betas/patches to see if a given change fixes the problem.

Thanks in advance,

-H

Trac:
Username: heywoodj123@yahoo.com

Trac:
Owner: erinn to tbb-team
Component: Tor bundles/installation to Tor Browser

A user joined IRC pointing to this bug and a similar one they were experiencing on an unrelated service.

Both Lycos and the other service send their login page over http (aaaargh).

The user reported that disabling NoScript resolved the issue, with the users help I was able to reproduce the issue and confirm NoScript was the source. I noticed that when NoScript was enabled cookies that had been issued over https would not be send over http, resulting in it constantly forcing the user back to the login page, securely, where upon the cookies were sent...putting them back to square one.

The issue stems from the sites issuance of cookies "securely" then returning to http and NoScript's policy for "Secure Cookies Management".

Work Around

By going into NoScript -> Options -> Advanced -> HTTPS -> Cookies and setting appropriate exceptions under "Ignore unsafe cookies set over HTTPS by the following sites", they were able to successfully login to the services.

I'd recommend not using these services, however, since they have some clearly problematic security holes.

Trac:
Reviewer: N/A to N/A
Sponsor: N/A to N/A
Severity: N/A to Normal

Replying to cypherpunks:

A user joined IRC pointing to this bug and a similar one they were experiencing on an unrelated service.

Both Lycos and the other service send their login page over http (aaaargh).

The user reported that disabling NoScript resolved the issue, with the users help I was able to reproduce the issue and confirm NoScript was the source. I noticed that when NoScript was enabled cookies that had been issued over https would not be send over http, resulting in it constantly forcing the user back to the login page, securely, where upon the cookies were sent...putting them back to square one.

The issue stems from the sites issuance of cookies "securely" then returning to http and NoScript's policy for "Secure Cookies Management".

Work Around

By going into NoScript -> Options -> Advanced -> HTTPS -> Cookies and setting appropriate exceptions under "Ignore unsafe cookies set over HTTPS by the following sites", they were able to successfully login to the services.

I'd recommend not using these services, however, since they have some clearly problematic security holes.

Thanks for this analysis! Seems something that we don't want to fix by weakening our NoScript settings but should rather fixed on the server side.

Trac:
Resolution: N/A to wontfix
Status: new to closed

closed

mentioned in issue #14707 (moved)

mentioned in issue #14707 (moved)

mentioned in issue #21487 (moved)

moved to tpo/applications/tor-browser#11295 (closed)

mentioned in issue tpo/applications/tor-browser#14707 (closed)

mentioned in issue tpo/applications/tor-browser#21487 (closed)