[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them
#17252: Confirm TLS session resumption/ID are isolated to the URL bar domain, and
re-enable them
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-linkability, ff60-esr, tbb- | Actual Points:
performance, TorBrowserTeam201808R |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by arthuredelstein):
* keywords: tbb-linkability, ff60-esr, tbb-performance,
TorBrowserTeam201808 => tbb-linkability, ff60-esr, tbb-performance,
TorBrowserTeam201808R
Comment:
Jonathan Hao at Mozilla implemented FPI (OriginAttribute isolation) of
session identifiers and session tickets in https://hg.mozilla.org/mozilla-
central/rev/9aba8184664d. That patch includes unit tests to show that
isolation is effective when "privacy.firstparty.isolate" is enabled.
I also reviewed the code to understand it better:
Each session ticket or session identifier is stored in an instance of the
same `sslSessionID` struct:
https://dxr.mozilla.org/mozilla-
esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/security/nss/lib/ssl/sslimpl.h#462
`sslSessionID` instances are stored in the session cache, keyed by a
`peerID` string:
https://dxr.mozilla.org/mozilla-
esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/security/nss/lib/ssl/sslnonce.c#285
The security manager sets the `peerID` string to include OriginAttributes
suffix from the socket:
https://dxr.mozilla.org/mozilla-
esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/security/manager/ssl/nsNSSIOLayer.cpp#2709
Therefore we can be confident that session tickets/identifiers are
isolated by first party. So here's my patch for review:
https://github.com/arthuredelstein/tor-browser/commit/17252
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17252#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs