[tbb-bugs] #27260 [Applications/Tor Browser]: Audit network.http.spdy.enabled.deps

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Aug 22 21:38:00 UTC 2018

#27260: Audit network.http.spdy.enabled.deps
 Reporter:  arthuredelstein                      |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-fingerprinting, tbb-             |  Actual Points:
  linkability, ff60-esr                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by fixtbb):

 $%@! Mozilla! They use two (or more?) different ways to access prefs!

 [https://http2.github.io/http2-spec/#pri-depend Stream Dependencies] looks
 like a QoS for the protocol.
 As Tor Browser uses FPI, all http/2 multiplexed streams should go through
 isolated tor circuit for one first party only. Then, from
 [https://http2.github.io/http2-spec/#rfc.section.10.8 Privacy Concerns],
 only timing-based attack is feasible, but unreliable.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27260#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list