Opened 8 years ago

Closed 5 years ago

#3104 closed defect (fixed)

Infinite loops in Facebook settings pages

Reported by: pde Owned by: pde
Priority: High Milestone: HTTPS-E 4 stable
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: #4286 Points:
Reviewer: Sponsor:

Description

Facebook HTTPS support is broken in strange ways for users who haven't enabled the optional Facebook HTTPS setting.

For such users, pages like this one:

https://www.facebook.com/editaccount.php?networks

Redirect back to http. In the past, that was merely a security flaw, but recently the redirect changed from an HTTP redirect to a fast JavaScript redirect, which means that our loop detection code does not spot it. The redirection script is here:
http://pastebin.com/SiWYzMug (note the hard-coded "http").

This is really Facebook's bug, but we should also consider what we can do about cases like this.

Child Tickets

Change History (4)

comment:1 Changed 8 years ago by pde

A user who is experiencing this bug amounts to a low-key DOS against facebook -- around 250 kbps until they close the tab.

comment:2 Changed 7 years ago by pde

Parent ID: #4286

comment:3 Changed 6 years ago by micahlee

Milestone: HTTPS-E 4 stable

comment:4 Changed 5 years ago by zyan

Resolution: fixed
Status: newclosed

I think this should be fixed since FB is secure by default now. https://www.facebook.com/notes/facebook-engineering/secure-browsing-by-default/10151590414803920

Please re-open this bug if not.

Note: See TracTickets for help on using tickets.