[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #21559 [Applications/Tor Browser]: Tor browser deanonymization/fingerprinting via cached intermediate CAs
#21559: Tor browser deanonymization/fingerprinting via cached intermediate CAs
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting, tbb-linkability | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by cypherpunks):
FWIW:
1) It's not an ordinary cache, but just a fallback for misconfigured
servers made for "fixing" issues like #2167, #9479, #18218, #19371, but
doesn't work as you see, because it's useless for stateless browser and
should be disabled.
https://bugzilla.mozilla.org/show_bug.cgi?id=1334485#c11
2) Mozilla urgently disabled SHA-1 and removed WoSign busters from the
root.
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824#c1
3) PoC successfully stress-tested the network subsystem of Firefox leading
to potentially exploitable crash. Cache should be disabled to reduce the
surface and check whether it's the root cause.
https://bugzilla.mozilla.org/show_bug.cgi?id=1334485#c21
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21559#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs