[tbb-bugs] #17965 [Tor Browser]: Isolate HPKP pinning to url bar domain

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jan 18 06:50:24 UTC 2016


#17965: Isolate HPKP pinning to url bar domain
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:
Component:  Tor Browser                          |  needs_review
 Severity:  Normal                               |      Milestone:
 Keywords:  tbb-linkability,                     |        Version:
  TorBrowserTeam201601R                          |     Resolution:
Parent ID:                                       |  Actual Points:
  Sponsor:                                       |         Points:
-------------------------------------------------+-------------------------
Changes (by arthuredelstein):

 * status:  assigned => needs_review
 * keywords:  tbb-linkability, TorBrowserTeam201601 => tbb-linkability,
     TorBrowserTeam201601R


Comment:

 Here is a branch that isolates both HSTS and HPKP.

 https://github.com/arthuredelstein/tor-browser/commits/17965+1

 The same mechanism is used to store both HSTS and HPKP state, so I isolate
 both HSTS and HPKP in the first patch. Note that I left out isolation for
 SpeculativeConnect for now, because we have it disabled, and otherwise the
 patch would be substantially larger and more complicated.

 The second patch in this branch provides a regression test for HSTS
 isolation. I still need to write a regression test for HPKP isolation.

 Unfortunately, I discovered that mochitests fail to load https sites when
 our "security.nocertdb" pref is enabled. So to run this test, one needs to
 temporarily set that pref to false in `browser/app/profile/000-tor-
 browser.js`. I opened a #18087 to address this issue.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17965#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list