[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9952 [Tor Support]: OkCupid blocking Tor :(



#9952: OkCupid blocking Tor :(
-----------------------------+------------------
     Reporter:  cypherpunks  |      Owner:  runa
         Type:  enhancement  |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Support  |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+------------------

Comment (by cypherpunks):

 Ran into this and worked up some datapoints for you all. Be sure to
 disable HTTPS-Everywhere and any other modifying/filtering plugins first.

 Over Tor...
 Starting with http://www.okcupid.com/ (or https://www.okcupid.com/ where
 you are then 302'd to http://www.okcupid.com/) , 'sign in' makes a POST to
 https://www.okcupid.com/login . You are right, that used to work fine but
 now that POST times out, even if you start directly with
 https://www.okcupid.com/login .

 If you start with http://www.okcupid.com/login (undocumented) and 'sign
 in', it POST's to http://www.okcupid.com/login and does work. Of course
 then the user/pass are in the clear, as well as all the cookies (tagged as
 for 'any type of connection', same with clearnet below) and content...
 which is all very bad for session theft and personal privacy. And visiting
 any HTTPS URL's inside (such as to make a payment) times out as well.

 Why HTTP works with Tor and why now HTTPS logon and URL's don't work with
 Tor when they did work before is weird and frowny.

 I tried with a handful of exits, same result. (Only with a presumably
 clean Tor IP that is... otherwise you may get their cutesy error messages
 with presumably dirty exits. That could indicate a GeoIP mismatch to the
 stated profile location, or a GeoIP A1 proxy or some other RBL blocking,
 or even their own manual IP blocking due to abuse. The messages don't say
 say what the problem is. But you do get the error message, whereas HTTPS
 just times out.)

 Over clearnet...
 The HTTPS POST and all the HTTPS URL's inside work fine. So does the
 undocumented logon from http://www.okcupid.com/login . The site works
 fine, user/pass is protected, but of course all the cookies and content
 are in the clear... which is just dumb of them to take on that risk and
 deny their users that simple guard over their personal messages and
 profiles.

 In sum as seen from here... please verify findings...
 - Users are now unable to logon over Tor without using undocumented means.
 - The site disrespects users need for privacy and security by not offering
 HTTPS everywhere.

 Both of these should be fixed.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9952#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs