[tor-bugs] #18589 [Applications/Tor Browser]: Tor browser writes SiteSecurityServiceState.txt with usage history
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 27 16:02:14 UTC 2017
#18589: Tor browser writes SiteSecurityServiceState.txt with usage history
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: assigned
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-disk-leak | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gacar):
Replying to [comment:10 gk]:
> We might want to look at the amount of sites that provide HSTS/HPKP
headers while not being on the preload list. If the amount of those sites
is small (or if the amount of those sites in the top 1,000,000 sites is
small?) we might want to think about clearing the state after a session as
well.
I compared the preloaded STS sites on mozilla-central [0] to top 1 million
sites that send STS headers [1].
There were:
* 18317 preload sites
* 39408 sites that send STS headers in top million
Only 1883 of the 39408 STS sites found in the preloaded list. I took
`include_subdomains` into consideration when matching the domains in two
list.
[0]: https://hg.mozilla.org/mozilla-
central/file/tip/security/manager/ssl/nsSTSPreloadList.inc
[1]: https://scans.io/study/scott-top-one-million (version: 14/3/2017)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18589#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list