[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #28374 [Applications/Tor Browser]: ensure RequestStorageId cannot be accessed remotely

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #28374 [Applications/Tor Browser]: ensure RequestStorageId cannot be accessed remotely
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 09 Nov 2018 17:03:18 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 09 Nov 2018 12:03:27 -0500
In-reply-to: <043.b5186732e109c792551d5d810fcc3360@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.b5186732e109c792551d5d810fcc3360@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#28374: ensure RequestStorageId cannot be accessed remotely
-----------------------------------------+--------------------------
 Reporter:  mcs                          |          Owner:  tbb-team
     Type:  defect                       |         Status:  new
 Priority:  Medium                       |      Milestone:
Component:  Applications/Tor Browser     |        Version:
 Severity:  Normal                       |     Resolution:
 Keywords:  tbb-fingerprinting,ff60-esr  |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:
-----------------------------------------+--------------------------

Comment (by tom):

 Because this is an IPC method not available to Web Content, there doesn't
 seem to be any wiring to provide this to an actual website (especially
 with EME disabled.)

 However, there probably isn't anything that intentionally stops a
 compromised content process from getting this data. (although it might not
 work just because EME is disabled, but I'm unsure.)

 I recommend we make this one of the bugs blocking #28147 and tackle it as
 part of future 'harden the content process' work.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28374#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #28374 [Applications/Tor Browser]: ensure RequestStorageId cannot be accessed remotely
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #25013 [Applications/Tor Browser]: Move TorButton code to the tor browser repository
Next by Author: Re: [tor-bugs] #27983 [Core Tor/Tor]: 0.3.2.x reached it's EOL date: remove version 0.3.2.x from recommended versions
Previous by thread: [tor-bugs] #28374 [Applications/Tor Browser]: ensure RequestStorageId cannot be accessed remotely
Next by thread: Re: [tor-bugs] #28374 [Applications/Tor Browser]: ensure RequestStorageId cannot be accessed remotely
Index(es):
- Author
- Thread