[tor-bugs] #25929 [Applications/Tor Browser]: Critical breach in first-party isolation allowing users deanonimization and profiling
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 26 14:49:57 UTC 2018
#25929: Critical breach in first-party isolation allowing users deanonimization and
profiling
------------------------------------------+----------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
1 An adversary crawls the web creating a database storing the info about
which website uses which certificates in the chain of trust, including
resources.
2 The adversary setups a malicious website evil.com having large amount of
subdomains each one using different certificates in the chain of trust,
but NOT SENDING ALL OF THEM, each domain skips sending a single
intermediate certificate.
1 A user opens a website stupid.com
2 The website stupid.com uses different resources from different sites
using different CAs. All the certs are cached.
3 User closes stupid.com and visits evil.com. The website includes single
pixel transparent images (or other resources) from all its crafted
subdomains. If an intermediate cert is cached the connection succeeds. If
it isn't it fails. This way the adversary knows which intermediate certs
are cached and can reduce its uncertainty about the websites visited by a
user. the attack doesn't require any JavaScript or CSS, only images.
4 If an adversary controls some of resources of stupid.com it can craft an
unique set of intermediate certificates for every its user.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25929>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list