[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and resumed TLS handshakes

Thus spake Mansour Moufid (mansourmoufid@xxxxxxxxx):

> I'm reading about TLS, and just read more about the "resumed TLS
> handshake" shortcut.
> Seems like a nice way for Google Analytics or others to track users
> across exit nodes... Is this likely? Did I miss something?
> [1] https://trac.webkit.org/wiki/Fingerprinting#SessionIDs

Ugh, you are absolutely right.

Previously we dealt with SSL Session IDs only by clearing them upon
toggle, on the assumption that Tor sessions would be short lived. We
also clear them with the "New Identity" button in Tor Browser, so Tor
Browser users are not entirely defenseless.

However, you are right: We should not allow third parties to use TLS
session resumption from different top-level origins in Tor Browser.

I've created two tickets for this:
https://trac.torproject.org/projects/tor/ticket/4099 and

The first ticket is to just disable TLS session resumption, and the
related HTTP Keep-Alive feature for Tor Browser Bundle 2.2.x. The
second ticket is to find a proper way to actually isolate these
features to the URL bar domain. #4100 may not happen on a reasonable
timescale, but I set the milestone to TBB 2.3.x anyway.

Thanks for finding this!

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpWwgyqT4lhg.pgp
Description: PGP signature

tor-talk mailing list