[tbb-bugs] #6458 [Tor Browser]: Double-key HSTS for third party content (was: Disable HSTS for third party content on non-HSTS domains)

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 23 00:35:52 UTC 2015 

#6458: Double-key HSTS for third party content
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-linkability, tbb-bounty, tbb-
  Browser                |  firefox-patch
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mikeperry):

 http://tsyrklevich.net/2014/10/28/abusing-strict-transport-security/ is
 another PoC that is a bit more interesting. It uses the HSTS preload list
 to fingerprint the underlying Firefox ESR version, and then also uses the
 Tails homepage HSTS presence to fingerprint Tails users.

 This example indicates that we shouldn't try any games with allowing HSTS
 for third parties only if the first party is HSTS, since that site could
 have been deployed on HTTPS+HSTS. To me, it indicates that we should fully
 double-key both the HSTS headers, and maybe also the preload list.

 The good news is that this is probably not as tricky as I thought. I think
 we can get away with just patching the calls to the nsISecurityService in
 nsHttpChannel::ProcessSingleSecurityHeader() and nsHttpChannel::Connect().
 I don't think we need to worry about the HPKP bits.

 Double-keying the preload list may require some finesse though, since it
 covers a lot of API sources, and sites may have become dependent on it
 accidentally. I can think of a few heuristics:
 1. Only apply the preload list rules to third parties if the URL bar
 domain is in the preload list
 1. Only apply the preload list rules to third parties if the url bar is
 https
 1. Always apply the preload list

 I think that either 2 or 3 are our best options.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6458#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list