[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #16673 [Tor Browser]: Isolate HTTP Alternative-Services



#16673: Isolate HTTP Alternative-Services
---------------------------------------+--------------------------
 Reporter:  mikeperry                  |          Owner:  tbb-team
     Type:  defect                     |         Status:  new
 Priority:  normal                     |      Milestone:
Component:  Tor Browser                |        Version:
 Keywords:  ff45-esr, tbb-linkability  |  Actual Points:
Parent ID:                             |         Points:
---------------------------------------+--------------------------
 HTTP Alternative Services header (https://tools.ietf.org/html/draft-ietf-
 httpbis-alt-svc-06) allows websites to tell clients to cache destination
 and protocol settings for certain websites.

 While this header enables things like opportunistic encryption, http2
 discovery, etc, unfortunately it is both a supercookie vector and a third
 party tracking vector. Luckily for us, it was disabled for Firefox 38
 because the initial implementation also enabled URL bar spoofing
 vulnerabilities.

 However, for Firefox 45, we will either need to isolate it, or ensure it
 remains disabled.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16673>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs