[RESOLVED] Using NS>Options>Advaned>HTTPS>Cookies

[phule]

When I register with a retail website, say http://www.foobar.com, and I notice it uses HTTPS sometimes, should I add *.foobar.com to NS>Options>Advaned>HTTPS>Cookies? In fact, whenever I go to a website regularly that uses HTTPS, should I add the website to NS>Options>Advaned>HTTPS>Cookies

[therube]

Best answer I can provide, FAQ: 6 - HTTPS.

[phule]

Best answer I can provide, FAQ: 6 - HTTPS.

I'm still using NS 1.9.3.3 and if I add *.amazon.com to NS>Options>Advanced>HTTPS>Cookies, I'm "partially" blocked from signing in to Amazon. Entering my email address & password is recognized and I'm welcomed to the website. But I can't examine any of my account records nor complete any orders. The error console only shows messages about NoScript and I can on partially interpret them. They are:

[NoScript HTTPS] FORCED SECURE on https://www.amazon.com: ubid-main=190-4279832-4548745; domain=.amazon.com; path=/; Secure

[NoScript HTTPS] Secure cookie set by http://www.amazon.com: at-main=3|xT/3tMhutwk82HG3Gp+1aVUPkVwVKyAEToh8mBj4mnsckbmF9VV0p7PL/r6RkObNlDcsM6YJc7FF3Sq3a5dq9MrFWS2tNzZq3qA+PzoccwLJSWsEmQwewzcEAoL1Kkf2K4LZwlac5r/Ql7PzDrtppV5CgxR2Bgdj7UTtfxb6aY4gFqlZZhzBcA==; domain=.amazon.com; path=/; Secure

[NoScript HTTPS] FORCED SECURE on https://www.amazon.com: x-main=Zv?KMrHvJ7tnlDhgBj0QrYZwadmvlkin; domain=.amazon.com; path=/; Secure

[NoScript HTTPS] FORCED SECURE on https://www.amazon.com: ubid-main=190-4279832-4548745; domain=.amazon.com; path=/; Secure

[NoScript HTTPS] FORCED SECURE on https://www.amazon.com: session-token=aVlkLBm08X5ow4iLIU+W0HMB9KP/r8JKCNdfEFV3PEBuGGdbSwCdOFse52g1gTVfrLP3y6FuT4YNkHaRPSy7L0Pr4wX4qnF+llrfIpMkD5gRhxbDvMQyecYEtNR1uwX7cTIHkEcBnRMzt+SzFKxBWbOHwEk0tdbMDlRgA6BIsZjo94vvIO5eRRHIz9pv/6u37uP/idmY/izXPqt5wQXpXuKEAITPseSDZukOLNSxyvessXf6Aa9HOhW26HpSXvng; domain=.amazon.com; path=/; Secure

[NoScript HTTPS] FORCED SECURE on https://www.amazon.com: ubid-main=190-4279832-4548745; domain=.amazon.com; path=/; Secure

[NoScript HTTPS] FORCED SECURE on https://www.amazon.com: ubid-main=190-4279832-4548745; domain=.amazon.com; path=/; Secure

[NoScript HTTPS] Detected unsafe navigation with NoScript-secured cookies: https://www.amazon.com/gp/css/history/v ... r=months-6 -> http://www.amazon.com/gp/flex/sign-out. ... n=sign-out

[NoScript HTTPS] http://www.amazon.com cannot support secure cookies because it does not use HTTPS. Consider forcing HTTPS for http://www.amazon.com in NoScript's Advanced HTTPS options panel.

[NoScript HTTPS] Toggled secure flag on ubid-main=190-4279832-4548745; domain=.amazon.com; path=/

[NoScript HTTPS] Toggled secure flag on session-token=aVlkLBm08X5ow4iLIU+W0HMB9KP/r8JKCNdfEFV3PEBuGGdbSwCdOFse52g1gTVfrLP3y6FuT4YNkHaRPSy7L0Pr4wX4qnF+llrfIpMkD5gRhxbDvMQyecYEtNR1uwX7cTIHkEcBnRMzt+SzFKxBWbOHwEk0tdbMDlRgA6BIsZjo94vvIO5eRRHIz9pv/6u37uP/idmY/izXPqt5wQXpXuKEAITPseSDZukOLNSxyvessXf6Aa9HOhW26HpSXvng; domain=.amazon.com; path=/

[NoScript HTTPS] Toggled secure flag on x-main=Zv?KMrHvJ7tnlDhgBj0QrYZwadmvlkin; domain=.amazon.com; path=/

[NoScript HTTPS] Sending Cookie for http://www.amazon.com: ubid-main=190-4279832-4548745; session-token=aVlkLBm08X5ow4iLIU+W0HMB9KP/r8JKCNdfEFV3PEBuGGdbSwCdOFse52g1gTVfrLP3y6FuT4YNkHaRPSy7L0Pr4wX4qnF+llrfIpMkD5gRhxbDvMQyecYEtNR1uwX7cTIHkEcBnRMzt+SzFKxBWbOHwEk0tdbMDlRgA6BIsZjo94vvIO5eRRHIz9pv/6u37uP/idmY/izXPqt5wQXpXuKEAITPseSDZukOLNSxyvessXf6Aa9HOhW26HpSXvng; x-main=Zv?KMrHvJ7tnlDhgBj0QrYZwadmvlkin; session-id-time=1245654000l; session-id=184-8569196-7449946

[NoScript HTTPS] FORCED SECURE on https://www.amazon.com: ubid-main=190-4279832-4548745; domain=.amazon.com; path=/; Secure
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I THINK that although Amazon indicate it's using a secure HTTPS connection, it really isn't. So I need to add *.amazon.com to NS>Options>Advanced>HTTPS>Behavior to force a secure connection.

[Giorgio Maone]

I THINK that although Amazon indicate it's using a secure HTTPS connection, it really isn't. So I need to add *.amazon.com to NS>Options>Advanced>HTTPS>Behavior to force a secure connection.

Yes, you're right.

[phule]

I THINK that although Amazon indicate it's using a secure HTTPS connection, it really isn't. So I need to add *.amazon.com to NS>Options>Advanced>HTTPS>Behavior to force a secure connection.

Yes, you're right.

I've noticed that even though I've forced Amazon.com to use HTTPS, I still can't encrypt any HTTPS cookies from Amazon.com by adding *.amazon.com to NS>Options>Advanced>HTTPS>Cookies.Kind of strange.

[Tom T.]

I've noticed that even though I've forced Amazon.com to use HTTPS, I still can't encrypt any HTTPS cookies from Amazon.com by adding *.amazon.com to NS>Options>Advanced>HTTPS>Cookies.Kind of strange.

Can't reproduce on Win XP, Fx 2.20, NS 1.9.4.1. Added *.amazon.com to both Https Cookies and Behavior. Went there. Got two cookies, both from amazon.com, one called session_id and one called sesssion_id_time. Both marked "Send for: Encrypted connections only".

However, did run into your issue of logging into account and actually buying stuff. Which I have been meaning to do -- thanks for reminding me!
Work-around: Take amazon.com *out* of the HTTPS Force lists. I hadn't been there in a while, and it's very strange: You're logged in through a secure server, but then as you browse, it's back to unencrypted. A little possible privacy leak there on what you're browsing, but a lot of online stores let you browse without logging in, then take you to a secure server when you're ready to login and buy. Amazon did this -- when my cart was full, and I clicked "One-click order" (or regular order, still works) it then took me to a secure server, requested PW again, and sent 5 cookies, all marked "Encrypted connections only". So I think all is safe there.

Thanks again for reminding me that I needed to go there! Let me know if this works for you.

[phule]

I've noticed that even though I've forced Amazon.com to use HTTPS, I still can't encrypt any HTTPS cookies from Amazon.com by adding *.amazon.com to NS>Options>Advanced>HTTPS>Cookies.Kind of strange.

Can't reproduce on Win XP, Fx 2.20, NS 1.9.4.1. Added *.amazon.com to both Https Cookies and Behavior. Went there. Got two cookies, both from amazon.com, one called session_id and one called sesssion_id_time. Both marked "Send for: Encrypted connections only".

However, did run into your issue of logging into account and actually buying stuff. Which I have been meaning to do -- thanks for reminding me!
Work-around: Take amazon.com *out* of the HTTPS Force lists. I hadn't been there in a while, and it's very strange: You're logged in through a secure server, but then as you browse, it's back to unencrypted. A little possible privacy leak there on what you're browsing, but a lot of online stores let you browse without logging in, then take you to a secure server when you're ready to login and buy. Amazon did this -- when my cart was full, and I clicked "One-click order" (or regular order, still works) it then took me to a secure server, requested PW again, and sent 5 cookies, all marked "Encrypted connections only". So I think all is safe there.

Thanks again for reminding me that I needed to go there! Let me know if this works for you.

Yes it does work when I'm not forcing it to use HTTPS.

[Tom T.]

I believe that this feature was implemented primarily because some banks and merchants (notably, Bank of America, but many others) foolishly provided a place to enter login credentials from their *unsecured* home page. They even put a phony black padlock by the login box. Even though the credentials were to be *sent* to a secure server, this posed some risk. So such sites had to be forced to use HTTPS and secure cookies. (Or bookmark the secure login page. If you can't find it, enter *nothing* in the login box and click "Login". It usually takes you to the properly secured loging page, with an error of your incorrect entries, of course.)

Amazon.com doesn't seem to offer a login on their unsecured home page, AFAIK. When I click "Your account", I'm taken to a properly-secured HTTPS page, where it should be safe to enter your login. It sends two encrypted cookies, the critical one I believe to be "session token" which has a nice 204-character random string (encryption key in there, I think) and is sent for encrypted connections only. Unless I am mistaken, that and its fellow encrypted cookie, ubid, would have to be stolen for someone to hijack your account (not your shopping itself, which is unsecure and so are its cookies). Same at checkout. So, not all sites need to be forced to HTTPS, only those that stupidly do not secure the login page.

Regards.