Opened 7 years ago

Closed 7 years ago

#8406 closed defect (fixed)

Quantcast Ruleset Breaks Tumblr Login - needs Update/fixing

Reported by: cypherpunks Owned by: pde
Priority: Medium Milestone: HTTPS-E 3.2
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords: httpse-ruleset-bug
Cc: dtauerbach, mikeperry, jmayer@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Quantcast ruleset completely breaks https for logging into Tumblr. (https://www.tumblr.com/login) in HTTPS Everywhere 3.1.3

Child Tickets

Attachments (2)

Quantcast Disabled.txt (119.2 KB) - added by cypherpunks 7 years ago.
Quantcast Enabled.txt (124.8 KB) - added by cypherpunks 7 years ago.

Download all attachments as: .zip

Change History (14)

comment:1 Changed 7 years ago by pde

Priority: normalcritical

comment:2 Changed 7 years ago by pde

Quantcast is an online analytics/tracking domain. It's quite surprising that Tumblr's login depends on it!

comment:3 Changed 7 years ago by pde

Hmmm. I also can't reproduce this. Loging in to Tumblr works for me with both 3.1.3, the current 3.0 branch (future 3.1.4), and the current master branch.

comment:4 Changed 7 years ago by pde

Resolution: worksforme
Status: newclosed

comment:5 Changed 7 years ago by cypherpunks

Resolution: worksforme
Status: closedreopened

Apologizes for re-opening but further info and checks that may or may not be of use:
HTTPS fails back to "non-padlocked" https (no green or grey padlock shown, just grey "globe"). No identity info or verification available.
Disabling Quantcast ruleset allows normal HTTPS login (green padlock shows).
Browser: Tor Browser 17.0.3 (Tor Bundle 2.3.25-4)
Machine: Win XP Service pack 3

Using previous version of Tor Bundle 2.3.25-2 has no issue with Tumblr login. Maybe Tor browser issue?

comment:6 Changed 7 years ago by pde

Priority: criticalnormal

I tried with Tor Browser Bundle 2.3.25-4 on linux, and that seems to work too. I don't have an XP machine around to test with.

Do you think you might be able to install Live HTTP Headers, use it to capture a trace of the login process both with the Quantcast rule enabled and disabled, and paste those here?

If your tumblr account is important to you, you might want to do this with a throwaway account.

Changed 7 years ago by cypherpunks

Attachment: Quantcast Disabled.txt added

Changed 7 years ago by cypherpunks

Attachment: Quantcast Enabled.txt added

comment:7 Changed 7 years ago by cypherpunks

Files added as requested which capture a trace of the login with Quantcast rule enabled and disabled.

comment:8 Changed 7 years ago by pde

Milestone: HTTPS-E 3.1.5

comment:9 Changed 7 years ago by pde

Cc: dtauerbach mikeperry jmayer@… added

This is very interesting. Seems like Quantserve might be doing secondary auth here or something. Note the screen resolution that is being sentk to Quantcast's pixel!

Anyway, the thing that stands out to me in the case where the ruleset is enabled and the login is breaking is that pixel.quantcast.com is trying to set a cookie three times, and it isn't being sent back to their server. Now, the Quantcast ruleset does have a securecookie element which can somtimes cause this kind of problem. But in this case all the requests to Quantcast seem to be HTTPS, so I don't think that's it.

Perhaps the cypherpunks who reported this are running some other extension that does cookie wrangling of some sort. In any case, I'm going to disable the securecookie elements of this ruleset for 3.1.5.

comment:10 Changed 7 years ago by pde

Once the next release is out, please let us know if this is still reproducible. Or build 3.1.5 from git right now and test it:

git clone https://git.torproject.org/https-everywhere.git
cd https-everywhere
checkout 3.0
make

comment:11 Changed 7 years ago by cypherpunks

Update: Tried with latest tor browser bundle release and works OK. FYI previous tor browser installs I was using were installed as default ie I wasn't using any add on extensions that do cookie wrangling.

Out of curiosity what were the possible implications of the actual screen res being sent to Quantcast pixel? Does this mean that there was a potential leak of real IP address or other identifying info during login process?

Please advise if you would like any more traces of login using live HTTP.

comment:12 Changed 7 years ago by pde

Resolution: fixed
Status: reopenedclosed

They're probably using this for secondary authentication (ie, Panopticlick fingerprinting probably aimed at detecting account hijacking). Your screen resolution is not your IP address. Your screen resolution might be somewhat revealing, but TBB takes steps to prevent that by resizing the TBB window to one of a few standard sizes and faking the screen resolution to be something common that's larger than that.

Note: See TracTickets for help on using tickets.