#18589: Tor browser writes SiteSecurityServiceState.txt with usage history --------------------------------------+-------------------------- Reporter: cypherpunks | Owner: tbb-team Type: defect | Status: assigned Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Major | Resolution: Keywords: tbb-disk-leak | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+--------------------------
Comment (by gacar): Replying to [comment:10 gk]: > We might want to look at the amount of sites that provide HSTS/HPKP headers while not being on the preload list. If the amount of those sites is small (or if the amount of those sites in the top 1,000,000 sites is small?) we might want to think about clearing the state after a session as well. I compared the preloaded STS sites on mozilla-central [0] to top 1 million sites that send STS headers [1]. There were: * 18317 preload sites * 39408 sites that send STS headers in top million Only 1883 of the 39408 STS sites found in the preloaded list. I took `include_subdomains` into consideration when matching the domains in two list. [0]: https://hg.mozilla.org/mozilla- central/file/tip/security/manager/ssl/nsSTSPreloadList.inc [1]: https://scans.io/study/scott-top-one-million (version: 14/3/2017) -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18589#comment:11> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs