[tor-bugs] #4100 [Firefox Patch Issues]: Isolate SPDY and HTTP Keep-Alive to top-level domain (was: Isolate TLS Session IDs and HTTP Keep-Alive to top-level domain)
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Jun 7 21:03:13 UTC 2012
#4100: Isolate SPDY and HTTP Keep-Alive to top-level domain
----------------------------------+-----------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: new
Priority: major | Milestone: TorBrowserBundle 2.3.x-stable
Component: Firefox Patch Issues | Version:
Keywords: tbb-linkability | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Changes (by mikeperry):
* priority: normal => major
Old description:
> We need to prevent 3rd party domains from being able to correlate
> activity using either TLS Session IDs or HTTP Keep-Alive.
>
> In #4099, we plan to simply disable TLS session resumption and HTTP keep-
> alive. Long term, we should try to find a way to preserve these features
> by preventing them from applying to third parties from different top-
> level domains.
New description:
We need to prevent 3rd party domains from being able to correlate activity
using HTTP Keep-Alive connections. We limited this linkability in #4603,
but we should solve it entirely, if we can.
--
Comment:
The NSS code is so decoupled from the rest of Firefox that I think
expecting to re-enable TLS Session IDs after binding them to top-level
domain is out of the question. Let's just make this ticket focus on
binding HTTP Keepalive and SPDY to top-level domains.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4100#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list