[tor-bugs] #18589 [Applications/Tor Browser]: Tor browser writes SiteSecurityServiceState.txt with usage history
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 27 17:05:43 UTC 2017
#18589: Tor browser writes SiteSecurityServiceState.txt with usage history
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: assigned
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-disk-leak | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gacar):
Although the number of preloaded STS sites is small, popular STS sites are
more likely to be included in the preload list:
|| '''Site rank''' || '''# of preloaded STS sites[[BR]]/[[BR]]# of STS
enabled sites''' ||
|| Top 10 || 33% ||
|| Top 100 || 24% ||
|| Top 1K || 16.5% ||
|| Top 10K || 12.5% ||
|| Top 100K || 8.5% ||
|| Top 1M || 4.7% (1883/39408) ||
Anyways, I think the privacy risk of revealing browsing history still
outweighs the potential security benefits.
PS: I should also note that I couldn't completely reproduce the problem
with 6.5.1 and 7.0a2 on Linux 64. Although I visited several sites that
send HSTS headers, only a few TPO and AMO-related domains
(aus1.torproject.org, www.torproject.org, aus1.torproject.org) added to
the SiteSecurityServiceState.txt (something to do with the chrome vs
content connections?).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18589#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list