[tor-bugs] #16673 [Tor Browser]: Isolate HTTP Alternative-Services
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 27 08:01:23 UTC 2015
#16673: Isolate HTTP Alternative-Services
---------------------------------------+--------------------------
Reporter: mikeperry | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: ff45-esr, tbb-linkability | Actual Points:
Parent ID: | Points:
---------------------------------------+--------------------------
HTTP Alternative Services header (https://tools.ietf.org/html/draft-ietf-
httpbis-alt-svc-06) allows websites to tell clients to cache destination
and protocol settings for certain websites.
While this header enables things like opportunistic encryption, http2
discovery, etc, unfortunately it is both a supercookie vector and a third
party tracking vector. Luckily for us, it was disabled for Firefox 38
because the initial implementation also enabled URL bar spoofing
vulnerabilities.
However, for Firefox 45, we will either need to isolate it, or ensure it
remains disabled.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16673>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list