[tbb-bugs] #28536 [Applications/Tor Browser]: SuperCookie Built Into TLS 1.2 and 1.3

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 21 12:09:45 UTC 2018 

#28536: SuperCookie Built Into TLS 1.2 and 1.3
--------------------------------------+---------------------------
 Reporter:  heyjoe                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  closed
 Priority:  Very High                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:  not a bug
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+---------------------------
Changes (by boklm):

 * status:  reopened => closed
 * resolution:   => not a bug


Comment:

 Replying to [comment:3 heyjoe]:
 > I don't think this has anything to do with privacy.firstparty.isolate in
 particular.
 >
 > From what I read in the article the essential issue is that the user can
 be tracked across multiple IP addresses (and obviously identities) due to
 the way TLS works - they storage of keys. In that sense - what does first
 party mean? It is not an issue with primary and external domains.

 Tracking a user inside a single browser session/website visit is possible
 in multiple ways. What we want avoid is cross-site tracking, and cross-
 sessions tracking (when the user creates a new session by clicking on new-
 identity or restarting the browser).

 >
 > You say:
 >
 > > We leave the other preferences as-is
 >
 > but TBB doesn't have security.ssl.disable_session_identifiers which the
 article recommends. Considering that
 https://www.torproject.org/projects/torbrowser/design/ says
 >
 > > We disable TLS Session Tickets and SSL Session IDs by setting
 security.ssl.disable_session_identifiers to true."
 >
 > this is actually a bug as such setting is simply missing in
 about:config.

 This is because this doc has not yet been updated for the 8.0 release
 (this will be done with ticket #25021).

 This pref was set to true in the past: #4099

 With the 8.0 release, it has been changed to false, after confirming that
 TLS session resumption/ID are isolated to the URL bar domain, so not a
 cross-site tracking risk: #17252

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28536#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list