[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #17965 [Tor Browser]: Isolate HPKP pinning to url bar domain

Subject: [tor-bugs] #17965 [Tor Browser]: Isolate HPKP pinning to url bar domain
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 30 Dec 2015 17:35:44 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 30 Dec 2015 12:35:54 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#17965: Isolate HPKP pinning to url bar domain
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  High     |    Version:
    Component:  Tor      |   Keywords:  tbb-linkability,
  Browser                |  TorBrowserTeam201601
     Severity:  Normal   |  Parent ID:
Actual Points:           |    Sponsor:
       Points:           |
-------------------------+-------------------------------------------------
 HPKP pinning (where an HTTP header can list a key to pin) may enable third
 party tracking if an adversary creates multiple certificates for many
 domains.

 HPKP is already memory-only. In normal Firefox, it is saved to disk in the
 same location as HSTS is.

 We should isolate HPKP to the url bar domain, and verify that it and HSTS
 are cleared on New Identity (I believe they are).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17965>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #17964 [Ooni]: Package all lepidopter dependencies in Debian
Next by Author: Re: [tor-bugs] #16073 [Tor Browser]: Unable to use Tor Browser with SOCKS5 proxy
Previous by thread: Re: [tor-bugs] #14355 [Ooni]: SimpleHTTPChannel for HTTP test helpers should be generalised
Next by thread: Re: [tor-bugs] #13372 [Tor Browser]: Unable to launch Tor browser from a memory stick
Index(es):
- Author
- Thread