Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate HSTS fingerprinting #3419

Closed
jumde opened this issue Feb 19, 2019 · 0 comments · Fixed by brave/brave-core#1744
Closed

Mitigate HSTS fingerprinting #3419

jumde opened this issue Feb 19, 2019 · 0 comments · Fixed by brave/brave-core#1744
Assignees
@jumde
Labels
browser-laptop-parity priority/P3 The next thing for us to work on. It'll ride the trains. QA/Test-Plan-Specified QA/Yes security
Milestone
Closed / Dupe / I...

Comments

@jumde
Copy link
Contributor

jumde commented Feb 19, 2019
edited
Loading

From: brave/browser-laptop#12223

Description

it has been reported in various places that Criteo is using HSTS supercookies (where they buy a bunch of domains and set HSTS on a different subset of domains for each user in order to uniquely identify them) for ad tracking. https://www.gothamcityresearch.com/single-post/2017/10/12/Criteo-SA-NASDAQ-CRTO-Why-We-Believe-Criteo%E2%80%99s-Undisclosed-Practices-are-Illegal-and-Harmful-to-Advertisers

possibilities:

  1. double-key HSTS
  2. disallow 3rd parties from setting HSTS

Test Plan

Specified here: brave/brave-core#1744
@jumde jumde added the security label Feb 19, 2019
@jumde jumde self-assigned this Feb 19, 2019
@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Feb 19, 2019
@jumde jumde mentioned this issue Feb 20, 2019
Merged
18 tasks
@jumde jumde mentioned this issue Feb 27, 2019
Closed
@jumde jumde mentioned this issue Sep 8, 2019
Closed
@bbondy bbondy added this to the Closed / Invalid milestone Jun 3, 2020
@goodov goodov mentioned this issue Apr 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jumde jumde

Labels
browser-laptop-parity priority/P3 The next thing for us to work on. It'll ride the trains. QA/Test-Plan-Specified QA/Yes security
Projects
None yet
Milestone
Closed / Dupe / Invalid
Development

Successfully merging a pull request may close this issue.

Issue 3419: Mitigate HSTS fingerprinting brave/brave-core
4 participants
@diracdeltas @tildelowengrimm @bbondy @jumde