Thus spake Mansour Moufid (mansourmoufid@xxxxxxxxx): > I'm reading about TLS, and just read more about the "resumed TLS > handshake" shortcut. > > Seems like a nice way for Google Analytics or others to track users > across exit nodes... Is this likely? Did I miss something? > > [1] https://trac.webkit.org/wiki/Fingerprinting#SessionIDs Ugh, you are absolutely right. Previously we dealt with SSL Session IDs only by clearing them upon toggle, on the assumption that Tor sessions would be short lived. We also clear them with the "New Identity" button in Tor Browser, so Tor Browser users are not entirely defenseless. However, you are right: We should not allow third parties to use TLS session resumption from different top-level origins in Tor Browser. I've created two tickets for this: https://trac.torproject.org/projects/tor/ticket/4099 and https://trac.torproject.org/projects/tor/ticket/4100 The first ticket is to just disable TLS session resumption, and the related HTTP Keep-Alive feature for Tor Browser Bundle 2.2.x. The second ticket is to find a proper way to actually isolate these features to the URL bar domain. #4100 may not happen on a reasonable timescale, but I set the milestone to TBB 2.3.x anyway. Thanks for finding this! -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpWwgyqT4lhg.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk