[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #9952 [Tor Support]: OkCupid blocking Tor :(
#9952: OkCupid blocking Tor :(
-----------------------------+------------------
Reporter: cypherpunks | Owner: runa
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Tor Support | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+------------------
Comment (by cypherpunks):
Ran into this and worked up some datapoints for you all. Be sure to
disable HTTPS-Everywhere and any other modifying/filtering plugins first.
Over Tor...
Starting with http://www.okcupid.com/ (or https://www.okcupid.com/ where
you are then 302'd to http://www.okcupid.com/) , 'sign in' makes a POST to
https://www.okcupid.com/login . You are right, that used to work fine but
now that POST times out, even if you start directly with
https://www.okcupid.com/login .
If you start with http://www.okcupid.com/login (undocumented) and 'sign
in', it POST's to http://www.okcupid.com/login and does work. Of course
then the user/pass are in the clear, as well as all the cookies (tagged as
for 'any type of connection', same with clearnet below) and content...
which is all very bad for session theft and personal privacy. And visiting
any HTTPS URL's inside (such as to make a payment) times out as well.
Why HTTP works with Tor and why now HTTPS logon and URL's don't work with
Tor when they did work before is weird and frowny.
I tried with a handful of exits, same result. (Only with a presumably
clean Tor IP that is... otherwise you may get their cutesy error messages
with presumably dirty exits. That could indicate a GeoIP mismatch to the
stated profile location, or a GeoIP A1 proxy or some other RBL blocking,
or even their own manual IP blocking due to abuse. The messages don't say
say what the problem is. But you do get the error message, whereas HTTPS
just times out.)
Over clearnet...
The HTTPS POST and all the HTTPS URL's inside work fine. So does the
undocumented logon from http://www.okcupid.com/login . The site works
fine, user/pass is protected, but of course all the cookies and content
are in the clear... which is just dumb of them to take on that risk and
deny their users that simple guard over their personal messages and
profiles.
In sum as seen from here... please verify findings...
- Users are now unable to logon over Tor without using undocumented means.
- The site disrespects users need for privacy and security by not offering
HTTPS everywhere.
Both of these should be fixed.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9952#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs