[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser

Subject: Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 10 Apr 2017 16:22:54 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 10 Apr 2017 12:23:04 -0400
In-reply-to: <042.b91c3fd6bcd15d22859f111fb0ff66be@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <042.b91c3fd6bcd15d22859f111fb0ff66be@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#21756: HTTP Authentication data is still sent to third parties with ESR 52 based
Tor Browser
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201704,      |  Actual Points:
  tbb-7.0-must-alpha                             |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 Replying to [comment:6 gk]:
 > Replying to [comment:2 arthuredelstein]:
 > > In the #20680 branch, I dropped our #13900 patch because ESR52 is
 supposed to isolate HTTP Auth by first party. There is an automated test
 in ESR52 from https://bugzilla.mozilla.org/1301523. So I think the http
 ://ip-check.info site is detecting that the HTTP Auth credentials are
 being saved to the third party, but it isn't testing if these credentials
 are shared by with first party.
 >
 > I am not so sure about that. They are saved in Tor Browser 6.5.1 as well
 but still the test passes with it. We are stripping the third party
 headers when we are doing a request.

 You're right, I misspoke here. I should have said, the ip-check site is
 detecting if third-party credentials are sent back at all, but it isn't
 testing if these credentials are sent back under a different first party.

 > Now, the most likely explanation is that the test is showing a red
 outcome just in case it gets any third party headers back. Then this would
 be indeed no issue for us. What it actually does is implementing:
 >
 > http://blog.jeremiahgrossman.com/2007/04/tracking-users-without-
 cookies.html
 >
 > using things like http://Session:483452791@xxxxxxxxxxxx/auth.css.php in
 a stylesheet link from ip-check.info to work without JS as well.
 >
 > Do you think you could come up with a test for that scenario, too, to be
 extra sure that nothing is sneaking in?

 So my test from comment:2 is already testing if any third-party headers
 are received back under a new first party. Are you interested in testing
 the silent authentication scenario (with and without JS), or is there some
 other characteristic of that demo you would like to test?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21756#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #21745 [Applications/Tor Browser]: Catch-all circuits are not working properly in ESR 52 based Tor Browser
Next by Author: Re: [tor-bugs] #16339 [Applications/Tor Browser]: Make sure the ImageCapture API is not leaking information (camera availability)
Previous by thread: Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser
Next by thread: Re: [tor-bugs] #21756 [Applications/Tor Browser]: HTTP Authentication data is still sent to third parties with ESR 52 based Tor Browser
Index(es):
- Author
- Thread