[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #17965 [Tor Browser]: Isolate HPKP pinning to url bar domain
#17965: Isolate HPKP pinning to url bar domain
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
mikeperry | Status: new
Type: defect | Milestone:
Priority: High | Version:
Component: Tor | Keywords: tbb-linkability,
Browser | TorBrowserTeam201601
Severity: Normal | Parent ID:
Actual Points: | Sponsor:
Points: |
-------------------------+-------------------------------------------------
HPKP pinning (where an HTTP header can list a key to pin) may enable third
party tracking if an adversary creates multiple certificates for many
domains.
HPKP is already memory-only. In normal Firefox, it is saved to disk in the
same location as HSTS is.
We should isolate HPKP to the url bar domain, and verify that it and HSTS
are cleared on New Identity (I believe they are).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17965>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs