Opened 5 years ago

Last modified 22 months ago

#13332 new defect

Cannot log in to lang-8.com (SNS for language learners) using Tor Browser.

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I am trying to use the website Lang-8 (a social networking site for language learning) with tor browser. I can create an account but I cannot log in. Whenever I enter my user name and password on the lang-8 login page, I am redirected back to the welcome page of the site and I do not appear to be logged in.

I do not get any kind of error message, so I don't think that the site is deliberately blocking tor.

I have tried both Tor Browser version 3.6.6 and 4.0-alpha-3; the problem occurs with both versions.

First I thought that maybe https-everywhere is to blame, but disabling it does not solve the problem.

After some experimentation, I discovered that if I disable the NoScript extension in Tor Browser (via the Addons menu item in Firefox), I can log in to lang-8 successfully. So it seems that NoScript is causing the problem.

Of course, turning off NoScript is not a viable long-term solution. I tried turning on NoScript again, but adding a regexp matching lang-8 urls to the NoScript XSS protection whitelist, but this didn't help.

See also this question on tor stackexchange.

Child Tickets

Change History (5)

comment:1 Changed 5 years ago by qbi

I made a new Firefox profile and tried to log in

  1. with the standard profile
  2. with HTTPS Everywhere installed
  3. with NoScript and HTTPS Everywhere installed

The latter two were not configured. I just used the default install. In all three cases I was able to log in to lang-8. So NoScript is not the problem alone.

comment:2 in reply to:  1 Changed 5 years ago by cypherpunks

Replying to qbi:

I made a new Firefox profile and tried to log in

  1. with the standard profile
  2. with HTTPS Everywhere installed
  3. with NoScript and HTTPS Everywhere installed

The latter two were not configured. I just used the default install. In all three cases I was able to log in to lang-8. So NoScript is not the problem alone.

Yes, this matches what I have observed. I can log in to Lang-8 using Debian's version of Firefox ("Iceweasel") + NoScript.

So the problem lies either with the interaction between Tor Browser and NoScript, or with the specific NoScript config shipped with Tor Browser.

A temporary workaround for people who want to use Lang-8 via Tor Browser is to use a separate Tor Browser installation, with the NoScript extension disabled, only for logging into Lang-8, and to use one's normal, unmodified Tor Browser installation for everything else. Obviously this is not an ideal solution.

comment:3 Changed 5 years ago by cypherpunks

I think the problem is related to the NoScript SecureCookies ("Automatic Secure Cookie Management") feature.

In Tor Browser, the preference noscript.secureCookies is true; if I set it to false in an otherwise unmodified Tor Browser (via about:config), I can successfully log in to Lang-8.

Likewise, if I add lang-8.com to the list of SecureCookies exceptions via the GUI, as described in the NoScript FAQ, Lang-8 login also works (this modifies the noscript.secureCookiesExceptions preference).

In upstream NoScript (or rather, the version packaged by Debian), the default value of noscript.secureCookies appears to be false, I guess that is why the problem doesn't occur with Firefox+NoScript.

Judging by the NoScript FAQ entry linked above, the SecureCookies feature breaks logins to multiple sites. Requiring Tor Browser users to set up their own exceptions in each case doesn't seem like a good idea, as that way each user would have a different set of exceptions, which could be used for fingerprinting. Maybe the best solution is to disable the SecureCookies feature in Tor Browser.

Here is some background on the log in process to Lang-8:

  1. The login page (https://lang-8.com/login?from=header) itself is served via https.
  2. The login data is sent in a POST request via https
  3. the user is then redirected back to a http url (http://lang-8.com)

I tested login in three scenarios, and observed the request using the built-in Firefox web developer tools (the network panel).

Unmodified Tor Browser (NoScript enabled):

The browser sends 5 cookies in step 3, called __utm{a,b,c,t,z}.
Log in to Lang-8 fails.

Tor Browser with NoScript disabled:

The browser sends 8 cookies in step 3:

__utm{a,b,c,t,z} as above.
three additional cookies: L8SESSID, _lang-8_rails_session, last_activity_date
Log in to Lang-8 succeeds.

Tor Browser with noscript.secureCookies set to false:

The browser sends 8 cookies in step 3, as in the previous scenario.
Log in to Lang-8 succeeds.

It seems that the last three cookies contain the session data, and that the noscript.securecookies option prevents them from being set.

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:4 Changed 5 years ago by cypherpunks

Tor Browser ships with the file extension-overrides.js which overrides the default value of noscript.secureCookies, that's why logins work with upstream NoScript+Firefox but not with Tor Browser:

pref("noscript.secureCookies", true);

comment:5 Changed 22 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.