[tor-bugs] #6458 [Firefox Patch Issues]: Disable HSTS for third party content on non-HSTS domains
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Jul 24 12:50:14 UTC 2012
#6458: Disable HSTS for third party content on non-HSTS domains
----------------------------------+-----------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: tbb-linkability | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Comment(by gk):
Replying to [comment:2 mikeperry]:
> gk: We currently clear HSTS on New Identity, but we do not disable it
entirely. It's my feeling that an HSTS supercookie is a rather extremely
visible and heavy-weight attack that is not worth disabling the security
benefits of HSTS to mitigate. Do you disagree?
No.
> Should we create a stopgap "Disable HSTS" ticket in the meantime until
this one can get closed?
No.
What makes me a bit nervous here is relaxing the security requirements
HSTS imposes (opening the road for e.g. injecting malicious scripts which
could be prevented by HSTS) and how to translate that to the user. I mean,
everybody is getting trained to "HSTS important in making your browsing
session safer", right?. Thus, I wonder if we may find a better solution to
this identifier problem (although I cannot come up with one yet). The one
mentioned on http://www.leviathansecurity.com/blog/archives/12-The-Double-
Edged-Sword-of-HSTS-Persistence-and-Privacy.html does not help, though.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6458#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list