[tor-bugs] #28536 [Applications/Tor Browser]: SuperCookie Built Into TLS 1.2 and 1.3
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 21 10:50:51 UTC 2018
#28536: SuperCookie Built Into TLS 1.2 and 1.3
--------------------------------------+----------------------------
Reporter: heyjoe | Owner: tbb-team
Type: defect | Status: closed
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution: worksforme
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+----------------------------
Comment (by heyjoe):
I don't think this has anything to do with privacy.firstparty.isolate in
particular.
From what I read in the article the essential issue is that the user can
be tracked across multiple IP addresses (and obviously identities) due to
the way TLS works - they storage of keys. In that sense - what does first
party mean? It is not an issue with primary and external domains.
You say:
> We leave the other preferences as-is
but TBB doesn't have security.ssl.disable_session_identifiers which the
article recommends. Considering that
https://www.torproject.org/projects/torbrowser/design/ says
> We disable TLS Session Tickets and SSL Session IDs by setting
security.ssl.disable_session_identifiers to true."
this is actually a bug as such setting is simply missing in about:config.
The same page also says:
> To compensate for the increased round trip latency from disabling these
performance optimizations, we also enable TLS False Start via the Firefox
Pref security.ssl.enable_false_start.
which is contrary to the recommendation in the article about setting it to
false.
So I don't quite see what you mean by "works for me".
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28536#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list