[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #1722 [EFF-HTTPS Everywhere]: Captcha at sorry.google.com does not follow https
#1722: Captcha at sorry.google.com does not follow https
----------------------------------------+-----------------------------------
Reporter: koryk | Owner: pde
Type: defect | Status: new
Priority: major | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: torbutton, google, captcha | Parent:
----------------------------------------+-----------------------------------
When using Torbutton, google queries are often forwarded to
sorry.google.com. When using https-everywhere along with Torbutton, a
https request gets forwarded to a non http site, sorry.google.com. When
trying to change the scheme to https, you get forwarded back to the
encrypted.google.com search page. So the url of the captcha page is
something like this http://sorry.google.com/sorry/Captcha?continue= where
your search url is after the 'continue='. So someone listening on the exit
node could see what your query is even if you're trying to use https. In
addition, this leaks your cookie if you are signed in. According to the
PETS presentation 'Private Information Disclosure from Web Searches' given
by Emiliano De Cristifaro, this can be a dangerous disclosure of personal
information.
In addition, after successfully filling out the captcha, you get
redirected to your search url without the https, and that returns with a
301 request forwarding to the https request. I believe this part can be
caught by https-everywhere. This get request also will contain your
cookie. I confirmed this by examining the http requests through firebug
while using https-everywhere and torbutton.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1722>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online