[tbb-bugs] #3600 [Tor Browser]: Prevent redirects from transmitting+storing cookies+identifiers

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Apr 3 05:07:08 UTC 2016 

#3600: Prevent redirects from transmitting+storing cookies+identifiers
-------------------------------------+-------------------------------------
 Reporter:  mikeperry                |          Owner:  tbb-team
     Type:  defect                   |         Status:  new
 Priority:  High                     |      Milestone:  TorBrowserBundle
Component:  Tor Browser              |  2.3.x-stable
 Severity:  Major                    |        Version:
 Keywords:  tbb-linkability, tbb-    |     Resolution:
  testcase, tbb-torbutton            |  Actual Points:
Parent ID:                           |         Points:
 Reviewer:                           |        Sponsor:
-------------------------------------+-------------------------------------
Changes (by mikeperry):

 * cc: arma (added)
 * severity:   => Major


Comment:

 I hopped into my tardis (it's not just a hot air balloon, I swear) and
 found a potential stopgap solution from the future. What if we prompted
 before every first party redirect and provided a message that said
 something like the following, containing two buttons with the bracketed
 text:

  Warning: The website domain.com is redirecting you to destination.com.
 This may mean that domain.com  and destination.com are attempting to
 communicate to determine your identity and track your activity.

                                              [Proceed with tracking]    [
 Proceed without tracking]


 If the user clicks "Proceed with tracking", then cookies, cache, etc would
 be preserved. If the user clicks "Proceed without tracking", then we clear
 all state and identifiers stored for destination.com before loading the
 redirect request. (We would strip any subdomains from both domain.com and
 destination.com in the message dialog, both because this would be less
 confusing and also because our isolation applies to top-level domains).

 Anyway, just an idea that might come in handy.

 Happy Caturday! Take it easy, everyone!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3600#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list