[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #17965 [Tor Browser]: Isolate HPKP pinning to url bar domain



#17965: Isolate HPKP pinning to url bar domain
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  High     |    Version:
    Component:  Tor      |   Keywords:  tbb-linkability,
  Browser                |  TorBrowserTeam201601
     Severity:  Normal   |  Parent ID:
Actual Points:           |    Sponsor:
       Points:           |
-------------------------+-------------------------------------------------
 HPKP pinning (where an HTTP header can list a key to pin) may enable third
 party tracking if an adversary creates multiple certificates for many
 domains.

 HPKP is already memory-only. In normal Firefox, it is saved to disk in the
 same location as HSTS is.

 We should isolate HPKP to the url bar domain, and verify that it and HSTS
 are cleared on New Identity (I believe they are).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17965>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs