[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #14952 [Tor Browser]: Audit HTTP/2
#14952: Audit HTTP/2
-----------------------------+----------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords: ff38-esr
Actual Points: | Parent ID:
Points: |
-----------------------------+----------------------
Comment (by mikeperry):
Looking over Georg and my mails with Mark Nottingham, our concerns then
were:
1. Long-lived connections, especially without proper first party isolation
in terms of connection re-use.
2. We probably want to disable server push, due to cache inference attacks
(see: https://gnunet.org/sites/default/files/uzunov2013torspdy.pdf section
6.3.2)
3. PING and SETTINGS timing side channels.
I had this to say about PING and SETTINGS:
> Relatedly, I'm somewhat worried about the bidirectional nature of PING
and SETTINGS from the tor-specific perspective. Because these can be sent
async by the server and are acked immediately by the client, they might be
able to introduce a timing signature by the server beyond what is
contained in response to active requests from the client.. Granted, such
things are possible with Javascript (or even by simply shoving a bunch of
junk inside an html comment in a hidden element), but people are able to
disable Javascript, and static content-based mechanisms will also show
load progress indication in the UI.
>
> Therefore, In Tor Browser, I'd be tempted to close the connection if I
got more than some frequency of PING or SETTINGS updates from the server,
especially in the absence of other activity.
Mark said that closing such connections seemed fine, but we'd have to be
careful about content elements just reopening them either through JS or
dynamic CSS-based element loads. One option for that is to disable
browser-based JS/HTML network activity in inactive tabs using Firefox's
request filter APIs.
We also discussed playing with HTTP/2's various batching and padding
parameters as another possible defense against website traffic
fingerprinting, but I'm not sure there is enough there already to make
this very useful beyond the types of things that our pipelining defense
already does, and we still need more research in this area to know what
we'd want to add/change and how. He suggested waiting for HTTP/3 for
requesting such things in spec form, since there will be resistance to
late spec changes that may change cost profiles for the server side,
especially for deployment (since that has already begun).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14952#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs