subject:"Re\: \[tor\-bugs\] #17252 \[Applications\/Tor Browser\]\: Confirm TLS session resumption\/ID are isolated to the URL bar domain, and re\-enable them"

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

2018-08-13 Thread Tor Bug Tracker & Wiki

#17252: Confirm TLS session resumption/ID are isolated to the URL bar domain, 
and
re-enable them
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  closed
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:  fixed
 Keywords:  tbb-linkability, ff60-esr, tbb-  |  Actual Points:
  performance, TorBrowserTeam201808R |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 Looks good. I cherry-picked the patch on top of `tor-
 browser-60.1.0esr-8.0-1` (commit
 975b6f238bf21fc0e567f7622871a3f55722913d).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

2018-08-10 Thread Tor Bug Tracker & Wiki

#17252: Confirm TLS session resumption/ID are isolated to the URL bar domain, 
and
re-enable them
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, ff60-esr, tbb-  |  Actual Points:
  performance, TorBrowserTeam201808R |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by arthuredelstein):

 * keywords:  tbb-linkability, ff60-esr, tbb-performance,
 TorBrowserTeam201808 => tbb-linkability, ff60-esr, tbb-performance,
 TorBrowserTeam201808R


Comment:

 Jonathan Hao at Mozilla implemented FPI (OriginAttribute isolation) of
 session identifiers and session tickets in https://hg.mozilla.org/mozilla-
 central/rev/9aba8184664d. That patch includes unit tests to show that
 isolation is effective when "privacy.firstparty.isolate" is enabled.

 I also reviewed the code to understand it better:

 Each session ticket or session identifier is stored in an instance of the
 same `sslSessionID` struct:
 https://dxr.mozilla.org/mozilla-
 
esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/security/nss/lib/ssl/sslimpl.h#462

 `sslSessionID` instances are stored in the session cache, keyed by a
 `peerID` string:
 https://dxr.mozilla.org/mozilla-
 
esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/security/nss/lib/ssl/sslnonce.c#285

 The security manager sets the `peerID` string to include OriginAttributes
 suffix from the socket:
 https://dxr.mozilla.org/mozilla-
 
esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/security/manager/ssl/nsNSSIOLayer.cpp#2709

 Therefore we can be confident that session tickets/identifiers are
 isolated by first party. So here's my patch for review:

 https://github.com/arthuredelstein/tor-browser/commit/17252

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

2018-07-05 Thread Tor Bug Tracker & Wiki

#17252: Confirm TLS session resumption/ID are isolated to the URL bar domain, 
and
re-enable them
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, ff60-esr, tbb-  |  Actual Points:
  performance, TorBrowserTeam201807  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * priority:  Medium => High


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

2018-05-28 Thread Tor Bug Tracker & Wiki

#17252: Confirm TLS session resumption/ID are isolated to the URL bar domain, 
and
re-enable them
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, ff60-esr, tbb-  |  Actual Points:
  performance, TorBrowserTeam201805  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * keywords:  tbb-linkability, ff52-esr, tbb-performance,
 TorBrowserTeam201805 => tbb-linkability, ff60-esr, tbb-performance,
 TorBrowserTeam201805


Comment:

 #26218 is a duplicate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

2017-11-07 Thread Tor Bug Tracker & Wiki

#17252: Confirm TLS session resumption/ID are isolated to the URL bar domain, 
and
re-enable them
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, ff52-esr,   |  Actual Points:
  TorBrowserTeam201711, tbb-performance  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by arthuredelstein):

 I just noticed that the pref "security.enable_tls_session_tickets" was
 removed from Firefox in 2013:
 https://bugzilla.mozilla.org/show_bug.cgi?id=917049. So we can definitely
 remove that pref from `browser/app/profile/000-tor-browser.js`.

 Fortunately, the pref we uplifted in 2014,
 "security.ssl.disable_session_identifiers" is still present in Firefox,
 and is [https://bugzilla.mozilla.org/show_bug.cgi?id=967977 designed to
 disable both session IDs and session tickets]. The question remains
 whether we should remove this pref as well.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

2017-11-02 Thread Tor Bug Tracker & Wiki

#17252: Confirm TLS session resumption/ID are isolated to the URL bar domain, 
and
re-enable them
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, ff52-esr,   |  Actual Points:
  TorBrowserTeam201711, tbb-performance  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by arthuredelstein):

 * cc: arthuredelstein (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them (was: Isolate TLS session resumption/ID to the URL bar domain

2017-11-02 Thread Tor Bug Tracker & Wiki

#17252: Confirm TLS session resumption/ID are isolated to the URL bar domain, 
and
re-enable them
-+-
 Reporter:  gk   |  Owner:  tbb-
 |  team
 Type:  enhancement  | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-linkability, ff52-esr,   |  Actual Points:
  TorBrowserTeam201711, tbb-performance  |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by arthuredelstein):

 * keywords:  tbb-linkability, ff52-esr => tbb-linkability, ff52-esr,
 TorBrowserTeam201711, tbb-performance


Comment:

 SSL session tickets and session IDs would be very nice to re-enable now if
 we can, given that every TLS handshake takes two round trips, a big
 performance penalty when using the tor network.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them

Re: [tor-bugs] #17252 [Applications/Tor Browser]: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them (was: Isolate TLS session resumption/ID to the URL bar domain

7 matches

Site Navigation

Mail list logo

Footer information