[tor-bugs] #18589 [Applications/Tor Browser]: Tor browser writes SiteSecurityServiceState.txt with usage history

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Mar 27 16:02:14 UTC 2017


#18589: Tor browser writes SiteSecurityServiceState.txt with usage history
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  assigned
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:  tbb-disk-leak             |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by gacar):

 Replying to [comment:10 gk]:
 > We might want to look at the amount of sites that provide HSTS/HPKP
 headers while not being on the preload list. If the amount of those sites
 is small (or if the amount of those sites in the top 1,000,000 sites is
 small?) we might want to think about clearing the state after a session as
 well.


 I compared the preloaded STS sites on mozilla-central [0] to top 1 million
 sites that send STS headers [1].

 There were:
 * 18317 preload sites
 * 39408 sites that send STS headers in top million

 Only 1883 of the 39408 STS sites found in the preloaded list. I took
 `include_subdomains` into consideration when matching the domains in two
 list.

 [0]: https://hg.mozilla.org/mozilla-
 central/file/tip/security/manager/ssl/nsSTSPreloadList.inc
 [1]: https://scans.io/study/scott-top-one-million (version: 14/3/2017)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18589#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list