[tor-dev] handling TLS Session Ticket/Identifier for Android
Hans-Christoph Steiner
hans at guardianproject.info
Mon Oct 31 11:04:28 UTC 2016
Georg Koppen:
> Tom Ritter:
>> The info I gave you was for Tor Browser, the the latter (about session
>> ID) is actually wrong. TBB disables both.
>>
>> https://trac.torproject.org/projects/tor/ticket/20447#ticket
>> https://gitweb.torproject.org/tor-browser.git/tree/security/manager/ssl/nsNSSComponent.cpp?h=tor-browser-45.4.0esr-6.5-1#n724
>>
>> Also: https://trac.torproject.org/projects/tor/ticket/4099
>
> Don't forget https://trac.torproject.org/projects/tor/ticket/17252 which
> is our medium/long term plan.
>
> I spoke about binding the TLS session resumption and ID to the URL bar
> domain with some Mozilla folks a while back and they seemed to be quite
> amenable to this kind of patch idea. I guess I finally should file that
> bug in Mozilla's bugtracker to get it on everybody's radar...
>
> Georg
>
>> Core Tor also disables both also AFAICT:
>> https://gitweb.torproject.org/tor.git/commit/?id=8743080a289a20bfaf0a67d6382ba0c2a6d6534d
>> https://gitweb.torproject.org/tor.git/tree/src/common/tortls.c#n1164
>>
>> -tom
Thanks for this. I'll have to convert this to Java and get it
integrated into NetCipher. This affects Orfox/Fennec by the way.
Fennec uses Java code to fetch some things. I think the favicon is
fetched with Java code, for example.
.hc
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the tor-dev
mailing list