[tor-bugs] #17965 [Tor Browser]: Isolate HPKP pinning to url bar domain

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Feb 19 12:07:23 UTC 2016

#17965: Isolate HPKP pinning to url bar domain
 Reporter:  mikeperry                            |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:
Component:  Tor Browser                          |  needs_revision
 Severity:  Normal                               |      Milestone:
 Keywords:  tbb-linkability,                     |        Version:
  TorBrowserTeam201602                           |     Resolution:
Parent ID:                                       |  Actual Points:
  Sponsor:                                       |         Points:
Changes (by gk):

 * keywords:  tbb-linkability, TorBrowserTeam201602R => tbb-linkability,
 * status:  needs_review => needs_revision


 Do we have any numbers on how many extensions are actually using the
 methods in nsSiteSecurityService? I fear there are a bunch and it seems
 that already one is enough to make the whole Tor Browser unusable.

 This is in `needs_revision` because I think the approach does not work,
 especially if we think about upstreaming that patch (apart from the fact
 that the HTTPS-E patch is either wrong because HTTPS-E is used to a great
 deal outside of the Tor Browser context, too (and there is no
 `isSecureChannel()` available) or not sufficient as we would need to patch
 HTTPS-E for us during the bundling step).

 So, what about this: we introduce an `nsISiteSecurityService2` containing
 the changes we want and then we make sure that callers from a non-chrome
 context + chrome context we control (i.e. browser chrome) are using that.
 That would leave the extensions unbroken. I guess given the things
 extensions can already do and that we need to trust them anyway the
 HSTS/HPKP bits do not matter much for now. This idea would probably make
 it easier for us to get our patch upstreamed as nothing existing would
 break + it would outline a proper way forward: Mozilla could start
 deprecating `nsISiteSecurityService` in favor of
 `nsISiteSecurityService2`. This would allow us getting rid of
 `nsSIteSecruityService` in extensions as well eventually.

 Another thing we could do is try to to talk to some Mozilla devs about
 whether they know a better solution that they would merge (instead).

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17965#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list