[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #16673 [Tor Browser]: Isolate HTTP Alternative-Services

Subject: [tor-bugs] #16673 [Tor Browser]: Isolate HTTP Alternative-Services
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 27 Jul 2015 08:01:23 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 27 Jul 2015 04:01:31 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#16673: Isolate HTTP Alternative-Services
---------------------------------------+--------------------------
 Reporter:  mikeperry                  |          Owner:  tbb-team
     Type:  defect                     |         Status:  new
 Priority:  normal                     |      Milestone:
Component:  Tor Browser                |        Version:
 Keywords:  ff45-esr, tbb-linkability  |  Actual Points:
Parent ID:                             |         Points:
---------------------------------------+--------------------------
 HTTP Alternative Services header (https://tools.ietf.org/html/draft-ietf-
 httpbis-alt-svc-06) allows websites to tell clients to cache destination
 and protocol settings for certain websites.

 While this header enables things like opportunistic encryption, http2
 discovery, etc, unfortunately it is both a supercookie vector and a third
 party tracking vector. Luckily for us, it was disabled for Firefox 38
 because the initial implementation also enabled URL bar spoofing
 vulnerabilities.

 However, for Firefox 45, we will either need to isolate it, or ensure it
 remains disabled.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16673>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #16673 [Tor Browser]: Isolate/Disable HTTP Alternative-Services (was: Isolate HTTP Alternative-Services)
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #16673 [Tor Browser]: Isolate/Disable HTTP Alternative-Services
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #16673 [Tor Browser]: Isolate/Disable HTTP Alternative-Services
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #16665 [Tor Browser]: Circuit visualizer needs a cue about guards
Next by Author: Re: [tor-bugs] #16673 [Tor Browser]: Isolate/Disable HTTP Alternative-Services (was: Isolate HTTP Alternative-Services)
Previous by thread: Re: [tor-bugs] #16672 [Tor Browser]: Text rendering allows fingerprinting
Next by thread: Re: [tor-bugs] #16673 [Tor Browser]: Isolate/Disable HTTP Alternative-Services (was: Isolate HTTP Alternative-Services)
Index(es):
- Author
- Thread