[tbb-bugs] #21559 [Applications/Tor Browser]: Tor browser deanonymization/fingerprinting via cached intermediate CAs
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 28 10:11:29 UTC 2017
#21559: Tor browser deanonymization/fingerprinting via cached intermediate CAs
-------------------------------------------------+-------------------------
Reporter: cypherpunks | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting, tbb-linkability | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by cypherpunks):
FWIW:
1) It's not an ordinary cache, but just a fallback for misconfigured
servers made for "fixing" issues like #2167, #9479, #18218, #19371, but
doesn't work as you see, because it's useless for stateless browser and
should be disabled.
https://bugzilla.mozilla.org/show_bug.cgi?id=1334485#c11
2) Mozilla urgently disabled SHA-1 and removed WoSign busters from the
root.
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824#c1
3) PoC successfully stress-tested the network subsystem of Firefox leading
to potentially exploitable crash. Cache should be disabled to reduce the
surface and check whether it's the root cause.
https://bugzilla.mozilla.org/show_bug.cgi?id=1334485#c21
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21559#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list