Error on Lavabit when forcing encryption for cookies

[Guest]

Bad request: The login command requires two string arguments.

Read data:

I'm not sure why adding Lavabit to the list of websites to force secure cookies for should cause this problem, since the entire Lavabit webmail interface uses SSL.
https://lavabit.com/apps/webmail/src/login.php

[Guest]

It seems when I login to Lavabit without forcing encryption, I get two cookies.

However, when I try to force encryption, I only get one cookie and the error message.

[GµårÐïåñ]

This is just an educated guess as I have no way to verify this but it could be the site is sending you a cookie from an unsecured domain (mixed state, lots of domains do it) and that part might be critical to the function but since its not allowed, it causes an error. Say https://somedomain is accessing a script on http://somedomain to create the gui or function or whatever and since the https enforcement breaks that, it gives you an error. Now as stated, this is just an educated guess so if that's not the problem then I am sorry but its worth looking into. Good luck.

[GµårÐïåñ]

Ok, decided to dig into their code a bit for you and there is a reference to : /apps/webmail/custom/jquery.js and inside that code, toward the end of a very long series of codes, you will see a reference to an HTTP object (notice the lack of SSL protocol) and therefore if you didn't have HTTPS forced, it would just pull from http and you wouldn't be the wiser and nothing would go wrong but when you force it, it breaks the connection to that library, therefore breaks the function and etc etc, you get where this going. The programmer just forgot a small detail and probably didn't catch it because they never did a HTTPS forced testing environment. I'll keep digging and if there is anything more relevant, I will post it here, if not then maybe Giorgio can elaborate on how to bypass/fix it.

[Guest]

That would be very odd, because I do not allow Lavabit's JavaScripts to run.

When logging in without HTTPS forcing, the two cookies I get are named key and SQMSESSID. CS Lite says they are both secure. However, I wanted to add Lavabit to NoScript's list of sites to force cookies to use encryption to be sure.

[GµårÐïåñ]

That is odd indeed as it does use that JS to build the library components needed to process, so I am not sure what's going on. I will say that I did not obviously dig too deep as I didn't have the time and didn't really want to violate the developer's space, but I can tell you he/she HATES IE Its all over the code's comments. Have you tried asking the site itself to tell you why this behavior occurs? they might already be aware and have an answer, otherwise, I think this is best for Giorgio's expertise.

[Giorgio Maone]

I wanted to add Lavabit to NoScript's list of sites to force cookies to use encryption to be sure.

If the site works fine in full HTTPS mode, all you need to protect it is adding it to your NoScript Options|Advanced|HTTPS|Behavior|Force the following sites to use HTTPS connections lists.
This way your cookies can't leak over plain HTTP even if they are not secure.

Forcing secure cookies, on the other hand, can sometimes cause non-obvious compatibility issues because cookies are rewritten on the fly, hence it should be used sparely only if a site actually forces you in mixed HTTP/HTTPS mode (i.e. some URLs do not work over HTTPS, like Google search for instance).

[Guest]

Okay. Thanks.