Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

mitigate HSTS fingerprinting #12223

Closed
diracdeltas opened this issue Dec 7, 2017 · 8 comments
Closed

mitigate HSTS fingerprinting #12223

diracdeltas opened this issue Dec 7, 2017 · 8 comments
Assignees
@jumde
Labels
priority/P2 Crashes. Loss of data. Severe memory leak. privacy QA/checked-Linux QA/checked-macOS QA/checked-Win64 QA/test-plan-specified release-notes/include security
Milestone
0.22.x Release 3 ...

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Dec 7, 2017
edited by bsclifton
Loading

Test plan

See #13437

Original issue description

context: it has been reported in various places that Criteo is using HSTS supercookies (where they buy a bunch of domains and set HSTS on a different subset of domains for each user in order to uniquely identify them) for ad tracking. https://www.gothamcityresearch.com/single-post/2017/10/12/Criteo-SA-NASDAQ-CRTO-Why-We-Believe-Criteo%E2%80%99s-Undisclosed-Practices-are-Illegal-and-Harmful-to-Advertisers

possibilities:

  1. double-key HSTS
  2. disallow 3rd parties from setting HSTS
@diracdeltas diracdeltas added this to the 0.20.x (Beta Channel) milestone Dec 22, 2017
@diracdeltas
Copy link
Member Author

adding to 0.20.x, per @BrendanEich suggestion

currently the proposal seems to boil down to: don't apply HSTS on 3rd party subresource loads, unless that subresource has been visited as a first party (similar to Safari's 3rd party cookie policy)

@jumde jumde self-assigned this Dec 22, 2017
@bsclifton
Copy link
Member

Moving to 0.21.x for now- let's move it back if this is finished before Jan 8th and doesn't require a Muon change 😄

@bsclifton bsclifton modified the milestones: 0.20.x (Beta Channel), 0.21.x (Developer Channel) Dec 29, 2017
@alexwykoff
Copy link
Contributor

@diracdeltas is this release blocking?

@diracdeltas
Copy link
Member Author

it would be really good if this were included in 0.21.x since people have been asking for it for a while. cc @jumde

@alexwykoff alexwykoff added the priority/P2 Crashes. Loss of data. Severe memory leak. label Feb 27, 2018
@alexwykoff alexwykoff modified the milestones: 0.22.x (Developer Channel), 0.23.x (Nightly Channel) Feb 27, 2018
@diracdeltas diracdeltas mentioned this issue Mar 13, 2018
Closed
@jumde jumde self-assigned this Mar 13, 2018
@alexwykoff alexwykoff modified the milestones: 0.23.x (Nightly Channel), Backlog (Prioritized) Mar 13, 2018
@bsclifton
Copy link
Member

bsclifton commented Mar 13, 2018
edited
Loading

Depends on brave/muon#527

@diracdeltas please note that the milestone was adjusted during today's triage meeting; once the work is complete, we can find the right place for it 😄

@jumde jumde mentioned this issue Mar 13, 2018
Merged
@diracdeltas
Copy link
Member Author

it now depends on brave/muon#532 which is a simpler change. moving to 0.22.x for now

@diracdeltas diracdeltas modified the milestones: Backlog (Prioritized), 0.22.x (Developer Channel) Mar 14, 2018
This was referenced Mar 28, 2018
Closed
Closed
Closed
@bsclifton bsclifton mentioned this issue Mar 28, 2018
Merged
10 tasks
@bsclifton
Copy link
Member

Re-opening after reverting browser-laptop code with #13638

@bsclifton bsclifton reopened this Mar 28, 2018
@bsclifton bsclifton modified the milestones: 0.22.x (Beta Channel), 0.23.x (Developer Channel) Mar 28, 2018
jumde added a commit that referenced this issue Mar 29, 2018
@jumde
Fixes #12223: Mitigate HSTS Fingerprinting
83fc286
@jumde jumde mentioned this issue Mar 29, 2018
Merged
jumde added a commit that referenced this issue Mar 29, 2018
@jumde
Fixes #12223: Mitigate HSTS Fingerprinting
dbb7297
jumde added a commit that referenced this issue Mar 29, 2018
@jumde
Fixes #12223: Mitigate HSTS Fingerprinting
3136329
@bsclifton bsclifton modified the milestones: 0.23.x (Developer Channel), 0.22.x Release 2 (Beta Channel) Apr 2, 2018
bsclifton pushed a commit that referenced this issue Apr 3, 2018
@jumde @bsclifton
Fixes #12223: Mitigate HSTS Fingerprinting
c90a275
bsclifton pushed a commit that referenced this issue Apr 3, 2018
@jumde @bsclifton
Fixes #12223: Mitigate HSTS Fingerprinting
8aee363
@bsclifton bsclifton modified the milestones: 0.22.x Release 2 (Beta Channel), 0.22.x Release 3 Apr 6, 2018
@btlechowski
Copy link
Contributor

btlechowski commented Apr 11, 2018
edited
Loading

Verified Win7 x64 v0.22.108

Steps used to verify:

  1. Open Brave. Disable HTTPS Everywhere in preferences.
  2. Clear browsing history and cache
  3. Go to https://jsfiddle.net/pqwdgr5x/5/
  4. Bring Debugger(F12) and open Network tab
  5. Tick 'Preserve log' and select 'Other'
  6. Press F5 to reload

Expected result:
301 redirect

Steps used to verify:

  1. Open Brave. Disable HTTPS Everywhere in preferences.
  2. Clear browsing history and cache
  3. Go to https://avatars2.githubusercontent.com/u/1903815?s=40&v=4
  4. Go to https://jsfiddle.net/pqwdgr5x/5/
  5. Bring Debugger(F12) and open Network tab
  6. Tick 'Preserve log' and select 'Other'
  7. Press F5 to reload

Expected result:
307 redirect

Verified on macOS 10.12.6 x64 using the steps above and the following build:

  • 0.22.109 5e4846e
  • libchromiumcontent: 65.0.3325.181
  • muon: 6.0.3

Verified on Ubuntu 17.10 x64

  • 0.22.703 903b8d0
  • libchromiumcontent 66.0.3359.139
  • muon: 6.0.8

This was referenced May 3, 2018
Closed
Closed
@kjozwiak kjozwiak mentioned this issue May 16, 2018
Closed
@jumde jumde mentioned this issue Feb 19, 2019
Closed
@jumde jumde mentioned this issue Feb 27, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jumde jumde

Labels
priority/P2 Crashes. Loss of data. Severe memory leak. privacy QA/checked-Linux QA/checked-macOS QA/checked-Win64 QA/test-plan-specified release-notes/include security
Projects
None yet
Milestone
0.22.x Release 3 (Release Channel)
Development

No branches or pull requests
6 participants
@diracdeltas @alexwykoff @jumde @bsclifton @LaurenWags @btlechowski