[tbb-bugs] #17965 [Tor Browser]: Isolate HPKP pinning to url bar domain
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 30 17:35:44 UTC 2015
#17965: Isolate HPKP pinning to url bar domain
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
mikeperry | Status: new
Type: defect | Milestone:
Priority: High | Version:
Component: Tor | Keywords: tbb-linkability,
Browser | TorBrowserTeam201601
Severity: Normal | Parent ID:
Actual Points: | Sponsor:
Points: |
-------------------------+-------------------------------------------------
HPKP pinning (where an HTTP header can list a key to pin) may enable third
party tracking if an adversary creates multiple certificates for many
domains.
HPKP is already memory-only. In normal Firefox, it is saved to disk in the
same location as HSTS is.
We should isolate HPKP to the url bar domain, and verify that it and HSTS
are cleared on New Identity (I believe they are).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17965>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list