#17252: Confirm TLS session resumption/ID are isolated to the URL bar domain, and re-enable them -------------------------------------------------+------------------------- Reporter: gk | Owner: tbb- | team Type: enhancement | Status: new Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-linkability, ff60-esr, tbb- | Actual Points: performance, TorBrowserTeam201808R | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+------------------------- Changes (by arthuredelstein):
* keywords: tbb-linkability, ff60-esr, tbb-performance, TorBrowserTeam201808 => tbb-linkability, ff60-esr, tbb-performance, TorBrowserTeam201808R Comment: Jonathan Hao at Mozilla implemented FPI (OriginAttribute isolation) of session identifiers and session tickets in https://hg.mozilla.org/mozilla- central/rev/9aba8184664d. That patch includes unit tests to show that isolation is effective when "privacy.firstparty.isolate" is enabled. I also reviewed the code to understand it better: Each session ticket or session identifier is stored in an instance of the same `sslSessionID` struct: https://dxr.mozilla.org/mozilla- esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/security/nss/lib/ssl/sslimpl.h#462 `sslSessionID` instances are stored in the session cache, keyed by a `peerID` string: https://dxr.mozilla.org/mozilla- esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/security/nss/lib/ssl/sslnonce.c#285 The security manager sets the `peerID` string to include OriginAttributes suffix from the socket: https://dxr.mozilla.org/mozilla- esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/security/manager/ssl/nsNSSIOLayer.cpp#2709 Therefore we can be confident that session tickets/identifiers are isolated by first party. So here's my patch for review: https://github.com/arthuredelstein/tor-browser/commit/17252 -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17252#comment:18> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs