[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #28536 [Applications/Tor Browser]: SuperCookie Built Into TLS 1.2 and 1.3

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #28536 [Applications/Tor Browser]: SuperCookie Built Into TLS 1.2 and 1.3
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 21 Nov 2018 10:50:51 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 21 Nov 2018 05:51:03 -0500
In-reply-to: <046.bb9c09cd5b21326e23a2b0535dda7730@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <046.bb9c09cd5b21326e23a2b0535dda7730@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#28536: SuperCookie Built Into TLS 1.2 and 1.3
--------------------------------------+----------------------------
 Reporter:  heyjoe                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  closed
 Priority:  Very High                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:  worksforme
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+----------------------------

Comment (by heyjoe):

 I don't think this has anything to do with privacy.firstparty.isolate in
 particular.

 From what I read in the article the essential issue is that the user can
 be tracked across multiple IP addresses (and obviously identities) due to
 the way TLS works - they storage of keys. In that sense - what does first
 party mean? It is not an issue with primary and external domains.

 You say:

 > We leave the other preferences as-is

 but TBB doesn't have security.ssl.disable_session_identifiers which the
 article recommends. Considering that
 https://www.torproject.org/projects/torbrowser/design/ says

 > We disable TLS Session Tickets and SSL Session IDs by setting
 security.ssl.disable_session_identifiers to true."

 this is actually a bug as such setting is simply missing in about:config.
 The same page also says:

 > To compensate for the increased round trip latency from disabling these
 performance optimizations, we also enable TLS False Start via the Firefox
 Pref security.ssl.enable_false_start.

 which is contrary to the recommendation in the article about setting it to
 false.

 So I don't quite see what you mean by "works for me".

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28536#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #28536 [Core Tor]: SuperCookie Built Into TLS 1.2 and 1.3
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #25658 [Applications/Tor Browser]: Activity 2.1: Improve user understanding and user control by clarifying Tor Browser's security features
Next by Author: Re: [tor-bugs] #19335 [Applications/Tor Browser]: Tor circuit display shows example circuit instead of real
Previous by thread: Re: [tor-bugs] #28536 [Applications/Tor Browser]: SuperCookie Built Into TLS 1.2 and 1.3
Next by thread: Re: [tor-bugs] #28536 [Applications/Tor Browser]: SuperCookie Built Into TLS 1.2 and 1.3
Index(es):
- Author
- Thread