In Outlook Live browser cookie issues, I discussed the issues surrounding cookie usage and the Outlook Live service. As you may remember, one of the problems surrounding turning off the blind support of third-party cookies is the check that is performed at logout. If the check doesn’t pass then you will get a warning message.
The fix for this from the MS perspective is to enable third-party cookies. One of the main reasons to not follow this is for better privacy while browsing the Internet. As with most computer security, web browser security is often a trade-off between usability and security. You have to know what to set things to to achieve a balance between good security and acceptable annoyance. Many users install ad-blockers, flash blockers, disable Javascript, etc. These are good tactics, but they also introduce browsing annoyances since the very technologies these plug-ins disable are what makes the web experience interesting and fun. For more on browser security check out Securing Your Web Browser at CERT.
Fortunately, in this particular case the solution is relatively easy. Since Mozilla gives us the ability to configure the browser directly, we can change how Firefox handles cookies.
First you will need to open Firefox and go to the site about:config to edit the settings. This is not really a website, but a method provided to directly configure some browser settings. You will be presented with a warning box, just click the button.
Next, in the filter box type network.cookie, this will narrow the list displayed down to only the ones dealing with cookies. One of the settings to be changed already exists, the other will have to be added.
The setting that you want to change is:
- network.cookie.cookieBehavior
Change network.cookie.cookieBehavior to have a setting of 3, enabling the change, by double clicking on the number in the Value column and entering the new value in the dialog box.
To add the new preference, right click in the window and select Integer from the New submenu.
Enter network.cookie.p3plevel in the dialog box that appears. Set the value to be 3 in the second dialog box. There is no save function, the changes take effect immediately, just close you browser tab/window.
After making these changes you will now be able to successfully navigate the Outlook Live site and logout without getting the warning message. You will also be better protected from nefarious third-party cookies.
If you want to change the preferences back to the defaults, simply open the preferences for Firefox and click the checkbox next to Accept third-party cookies.
Apparently this functionality was part of Firefox 2 but was subsequently removed after someone complained about the size of the code required to implement it (a total of 60k in what is now a 56.9MB, at least that’s the size of the application on Mac OS X). In reading through the comments in the Bugzilla post, I fail to see where anyone makes a decent argument for reducing end-user security. For more on all of this, check out the references section of this post.
These changes were implemented on Mac OS X 10.6.4 using Firefox 3.6.11, but it should be pertinent to Windows and Linux as well.
References
Frequently I write posts that others may find useful. In fact I have even been cited in software manuals and on other sites across the web as a reference or a resource for information on a particular topic. Earlier today a visitor to my site alerted me to the fact that two of my posts on the Nagios system and using it with Mac OS X had been copied outright on a blog located in Belgium.
While imitation may be the sincerest form of flattery, wholesale plagiarism is not very flattering at all.
The website in question is the WordPress blog published by CP IT Solutions, Inc. Both posts are obvious copy/paste entries from my own blog. Here are the details:
Copies
http://cpsolutions.be/wordpress/?p=213
http://cpsolutions.be/wordpress/?p=215
Originals
http://arfore.com/2008/10/12/starting-nrpe-via-launchd/
http://arfore.com/2008/09/25/nagios-nrpe-on-os-x-server-105/
The person in question is apparently a Microsoft Certified Professional, and also hosts a Joomla site on the same domain.
WordPress blog – http://cpsolutions.be/wordpress/
Main site – http://www.cpsolutions.be/JOOMLA/
I wonder what his clients would think if they knew that he was just copying other people’s work and putting it up as original thought? I have sent e-mails to both the owner of CP IT Solutions as well as the ISP for his site. Interestingly enough, for someone that provides IT consulting services they use a hosting provider rather than run their own site, as seen by the WHOIS entry below, hopefully they are going to be called on for hosting consultancy services.
WHOIS entry for cpsoltuions.be
% WHOIS cpsolutions Domain: cpsolutions Status: REGISTERED Registered: Wed Sep 27 2006 Licensee: Not shown, please visit www.dns.be for webbased whois. Agent Technical Contacts: Last Name: Kristof De Vlieger Company Name: DVK Systems & Consultancy BVBA Language: nl Street: Luikersteenweg 547 Location: 3800 Sint-Truiden Country: BE Phone: +32.11768005 Fax: +32.11768002 Email: [email protected] Agent: Name: DVK Systems & Consultancy Bvba Website: www.dvkhosting.be Nameservers: ns3.dvkhosting.com ns2.dvkhosting.com
Sure many of us use snippets and other items from our fellow IT professionals, but at the very least give credit where it is due.
In June of 2010, Valdosta State University transitioned to using Microsoft’s Live@EDU service for our e-mail. This is Microsoft’s competing product line with Google’s Apps for Education service. There were many reasons why we chose the Microsoft service which I won’t get into here, suffice it to say, that was the decision that was made.
While I don’t use the web interface all that much, when I do use it on Safari 5 for the Mac, I have noticed an oddity. After you login to the system and do whatever you plan to do that session, to logout you should click the “Sign Out” link. Seems standard enough, right? Well, not exactly. On Safari on the Mac I have noticed that I get an error when the signout process is attempted. When testing Firefox 3.6.11, I found I wasn’t receiving the error screen and the signout process completed successfully.
After delving more into this it turns out that the problem is third-party cookies. The default settings in Safari are very restrictive. They are also all or none. There is no exception list to the privacy settings for browser cookies in Safari, unlike Firefox. Also, it turns out that if you change the settings in Firefox to match the restrictive settings in Safari you get the same error screen.
In order to find out what site was causing the problem I cleared all the cookies for Safari, then enable the setting to always allow cookies. After comparing the list of cookies that were set, I found one listed for the domain passport.com that did not show up in the cookie list when Safari is set to accept cookies only from sites that I visited.
Further investigation using the Live HTTP Headers add-on in Firefox revealed the following for that domain:
http://loginnet.passport.com/ThirdPartyCookieCheck.srf?ct=1287943985 GET /ThirdPartyCookieCheck.srf?ct=1287943985 HTTP/1.1 Host: loginnet.passport.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://login.live.com/logout.srf?lc=1033&nossl=1&lc=1033&ru=https://login.microsoftonline.com/login.srf%3Flc%3D1033%26ct%3D1287943985%26rver%3D6.1.6206.0%26id%3D260563%26wa%3Dwsignoutcleanup1.0%26nossl%3D1%26wreply%3Dhttps:%252F%252Foutlook.com%252Fowa%252F%253Frealm%253Dvaldosta.edu&id=12&wa=wsignout1.0 HTTP/1.1 302 Found Connection: close Date: Sun, 24 Oct 2010 18:13:05 GMT Server: Microsoft-IIS/6.0 PPServer: PPV: 30 H: BAYIDSLGN1F57 V: 0 Content-Type: text/html; charset=utf-8 Expires: Sun, 24 Oct 2010 18:12:05 GMT Cache-Control: no-cache Pragma: no-cache P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Set-Cookie: MSPP3RD=2832116359; domain=.passport.com;path=/;HTTPOnly= ;version=1 Content-Length: 0 Location: http://loginnet.passport.com/ThirdPartyCookieCheck.srf?tpc=2832116359&lc=1033 ---------------------------------------------------------- http://loginnet.passport.com/ThirdPartyCookieCheck.srf?tpc=2832116359&lc=1033 GET /ThirdPartyCookieCheck.srf?tpc=2832116359&lc=1033 HTTP/1.1 Host: loginnet.passport.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://login.live.com/logout.srf?lc=1033&nossl=1&lc=1033&ru=https://login.microsoftonline.com/login.srf%3Flc%3D1033%26ct%3D1287943985%26rver%3D6.1.6206.0%26id%3D260563%26wa%3Dwsignoutcleanup1.0%26nossl%3D1%26wreply%3Dhttps:%252F%252Foutlook.com%252Fowa%252F%253Frealm%253Dvaldosta.edu&id=12&wa=wsignout1.0 Cookie: MSPP3RD=2832116359 HTTP/1.1 200 OK Cache-Control: no-cache Connection: close Date: Sun, 24 Oct 2010 18:13:06 GMT Pragma: no-cache Content-Type: image/gif Expires: Sun, 24 Oct 2010 18:12:06 GMT Server: Microsoft-IIS/6.0 PPServer: PPV: 30 H: BAYIDSLGN1F50 V: 0 P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Content-Encoding: gzip Vary: Accept-Encoding Transfer-Encoding: chunked
Continuing the investigation, I decided to force Firefox to ask me about each cookie that was going to be set. This makes a dialog show up for each cookie attempt giving me the option to deny it, allow it only for the current session, or always allow. After walking through the tortorous process of a complete login/logout session, it turns out that two cookies are being set for the domain passport.com with each of them set to expire at the end of the session. More detail on the cookie can be seen in the screen shot of the cookie detail (provided by the plugin Add N Edit Cookies) shown below:
So, the next step was to fire up my VM and see how all this worked on the Windows side of things. I figured that since we had not been deluged with user requests concerning this that the browsers on the Windows side of the equation were handling it all differently. Firefox on Windows is configured out of the box just like Firefox on Mac OS X. So, as I expected the operation was the same as well. If you allow for third-party cookies, then it works fine, if you don’t then you get the error screen.
The interesting development is the settings for Internet Explorer. Bear in mind that I am using Windows 7 and Internet Explorer 8, but the settings should be fairly similar on Windows XP and between versions 7 and 8. The default setting in IE8 is to all third-party cookies, but (and this is the key) only if they have a compact privacy policy (P3P). This is the setting that makes the big difference.
It turns out that neither Firefox nor Safari support P3P headers by default. In fact there doesn’t appear to be any support for them in Safari at all. Configuring Firefox to support them requires some advanced editing of the main configuration file.
I haven’t found any adverse effects to the workings of Outlook Live when using Safari, but it is rather annoying that this occurs.
References
After my recent iPad acquisition, I realized that now I need a new bag to carry it in. Normally I use a large Healthy Back Bag, produced and sold by AmeriBag. Unfortunately, the iPad’s shape doesn’t lend itself to being carried in the teardrop-shaped bag. I have narrowed down my choices, and there are oh so many of them, but now I need some help from you, gentle reader. Each of the images below are linked to the product information page on the bag.
Recently we acquired a new firewall to place in between our datacenter and the rest of our network. This is a fairly standard security procedure used to isolate the servers from the rest of a network that can be loaded with all kinds of nasty spyware, malware and viruses, not to mention really nifty people that want to violate the security of the data.
Security is a two-edged sword for many systems folk. Firewalls are really great security tools, yet they can also get in the way of nice tools that provide access into the servers for remote administration.
Prior to the placement of the new firewall, I often used XDMCP sessions to access my unix servers from the comfort of my office, rather than traipsing to the data center to use the console. While these servers do have iLOM ports, there are some interface issues that make their use less elegant that I would wish.
After the new firewall entered the equation, I found that my normal XDMCP setup using Xephyr on my iMac no longer worked for some reason. It appeared that some of the rulesets were blocking either the particular TCP or UDP traffic necessary for the communication to work. Rather than worry our firewall administrator with troubleshooting the issue, I decided to find another way in via ssh.
It turns out that I could easily tunnel an X11 login session through an ssh session. Given that I have sshd configured to allow for TCP forwarding I was able to use an Xnest session that was initiated after logging in via ssh. Here’s the process I used:
First you need to initiate the ssh session while enabling X11 TCP forwarding. Depending on your particulars this can be done by one of the following commands:
bash-3.2$ ssh -X server.example.com
bash-3.2$ ssh -Y server.example.com
The next command is executed on the server, but the X11 session is actually running under the X11 installation on the local workstation:
Xnest :1 -geometry 1280x1024 -query localhost -terminate
Here’s a breakdown of the command parameters:
:1
determines the X11 screen to be used on the local workstation, screen 0 is the default screen used for X11
-geometry
set the screen resolution to use for the X11 window on the local workstation
-query localhost
determines which host to actually make the connection with
-terminate
closes the XDMCP session once the user logs out
All of this can actually be accomplished with a single step, by chaining the ssh login command with the Xnest command:
ssh -X REMOTESERVERNAME Xnest :1 -geometry 1280x1024 -query localhost -terminate