On Mon, Nov 2, 2009 at 12:03 PM, Aaron Boodman <a...@chromium.org> wrote: > On Thu, Oct 22, 2009 at 1:10 PM, Mike Perry <mikeperry.unu...@gmail.com> > wrote: >> 7. SSL Session ID Clearing >> >> SSL Session IDs are GUIDs used to reduce round trips on the SSL >> handshake by providing an identifier to reference a recently >> established SSL session. >> >> I checked the Incognito code, and it does clear the approved SSL >> certificate cache, which is great. However, if a user connects to >> https://secure.wikileaks.org without Incognito and then opens up an >> Incognito window to do the same, the Session IDs remain the same >> across both windows, and are a unique identifier that can be used to >> generally track users. You can see this happen with Wireshark on >> Windows Chrome 3.0.195.27. >> >> Exposing an API to completely reset the SSL state in a specific tab >> processes or profile instance would be workable, however I could also >> see this code just being added to the code that already rebuilds >> Incognito's SSL cert caches in >> OffTheRecordProfileImpl::GetSSLHostState(). > > It seems like maybe this is just a bug in Chrome? If so, perhaps a > good place to start would be to fix it.
This is not a bug in the current security model for incognito because incognito is about not leaving tracks on your local machine. However, incognito has a bunch of behaviors around general privacy improvements. I'd certainly welcome a patch that used distinct SSL session IDs for incognito mode. Adam --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to chromium-extensions@googlegroups.com To unsubscribe from this group, send email to chromium-extensions+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en -~----------~----~----~----~------~----~------~--~---
