[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #8557 [Firefox Patch Issues]: Audit and possibly enable safebrowsing

To: undisclosed-recipients:;
Subject: [tor-bugs] #8557 [Firefox Patch Issues]: Audit and possibly enable safebrowsing
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 21 Mar 2013 21:47:15 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 21 Mar 2013 17:47:23 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#8557: Audit and possibly enable safebrowsing
----------------------------------+-----------------------------------------
 Reporter:  mikeperry             |          Owner:  mikeperry
     Type:  defect                |         Status:  new      
 Priority:  major                 |      Milestone:           
Component:  Firefox Patch Issues  |        Version:           
 Keywords:  tbb-pref              |         Parent:           
   Points:                        |   Actualpoints:           
----------------------------------+-----------------------------------------
 TBB currently disables safebrowsing. I would like to answer the following
 questions before we enable it:

 1. Does Firefox stop fetching safebrowsing data if the browser is
 inactive? The spec says the list is updated every 30 minutes, but doesn't
 say anything about user activity.
 2. The data itself is authenticated, but it is also served over HTTP, and
 the protocol supports requesting specific lists and segments. This
 introduces the ability of exits to repeatedly block list segments in an
 attempt to create a supercookie in the client that appears like it can
 persist for up to 6 hours (based on the retry behavior in
 https://wiki.mozilla.org/Phishing_Protection:_Design_Documentation#Client_Backoff).
 Is there a way for exits/websites to read this supercookie at will?
 3. Related: Should we clear the safebrowsing list data on New Identity (or
 does this just cause a lot of pointless network overhead)?
 4. It looks like we definitely would need to clear the MAC key on New
 Identity. How do we do that? Does doing so invalidate our previous list
 data?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8557>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #8557 [Firefox Patch Issues]: Audit and possibly enable safebrowsing
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #8557 [Firefox Patch Issues]: Audit and possibly enable safebrowsing
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #8544 [Tor Cloud]: Create a CloudFormation template for provisioning Tor Cloud images
Next by Author: Re: [tor-bugs] #8557 [Firefox Patch Issues]: Audit and possibly enable safebrowsing
Previous by thread: Re: [tor-bugs] #8003 [Quality Assurance and Testing]: Short user manual should add some text about obfsproxy bundles
Next by thread: Re: [tor-bugs] #8557 [Firefox Patch Issues]: Audit and possibly enable safebrowsing
Index(es):
- Author
- Thread