[tor-bugs] #6458 [Firefox Patch Issues]: Disable HSTS for third party content on non-HSTS domains
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Jul 24 07:56:53 UTC 2012
#6458: Disable HSTS for third party content on non-HSTS domains
----------------------------------+-----------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: tbb-linkability | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Comment(by mikeperry):
gk: We currently clear HSTS on New Identity, but we do not disable it
entirely. It's my feeling that an HSTS supercookie is a rather extremely
visible and heavy-weight attack that is not worth disabling the security
benefits of HSTS to mitigate. Do you disagree? Should we create a stopgap
"Disable HSTS" ticket in the meantime until this one can get closed?
I could go either way. We also have until #5742 is closed to decide for
sure, since that #5742 probably the current best known long term 3rd party
linkability vector between "New Identity" invocations.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6458#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list