Re: [webkit-dev] HSTS user tracking
On Fri, Mar 2, 2018 at 4:37 AM, Anne van Kesterenwrote: FWIW, some were posted by John Wilander at https://mailarchive.ietf.org/arch/msg/websec/t_R00ZDVHrBmroEX989GeaXdejE. That's exactly what I was looking for... thanks! ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] HSTS user tracking
On Thu, Mar 1, 2018 at 7:44 PM, Michael Catanzarowrote: > It'd still be great to get some details about your strategy for mitigating > user tracking via HSTS. FWIW, some were posted by John Wilander at https://mailarchive.ietf.org/arch/msg/websec/t_R00ZDVHrBmroEX989GeaXdejE. -- https://annevankesteren.nl/ ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] HSTS user tracking
Sure — I’ll ask Jon to get it scheduled to post. > On Mar 1, 2018, at 11:50 AM, Maciej Stachowiakwrote: > > > >> On Mar 1, 2018, at 10:44 AM, Michael Catanzaro wrote: >> >> On Fri, Jan 5, 2018 at 3:11 PM, Brent Fulgham wrote: >>> I´m sorry we haven´t been forthcoming with details. We have wanted to put >>> together a blog post explaining our fix, but have been preoccupied with a >>> number of other security issues. >>> I will make this my top priority, or at least give a rough overview to the >>> webkit-security folks if we can´t put together a blog-worthy document fast >>> enough. >>> Thanks, >>> -Brent >> >> Hi, >> >> It'd still be great to get some details about your strategy for mitigating >> user tracking via HSTS. >> >> It should be suitable for webkit-dev, rather than the private security list, >> right? > > I think we should still publish the blog post, if it's at all close to ready. > Brent? > > - Maciej > ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] HSTS user tracking
> On Mar 1, 2018, at 10:44 AM, Michael Catanzarowrote: > > On Fri, Jan 5, 2018 at 3:11 PM, Brent Fulgham wrote: >> I´m sorry we haven´t been forthcoming with details. We have wanted to put >> together a blog post explaining our fix, but have been preoccupied with a >> number of other security issues. >> I will make this my top priority, or at least give a rough overview to the >> webkit-security folks if we can´t put together a blog-worthy document fast >> enough. >> Thanks, >> -Brent > > Hi, > > It'd still be great to get some details about your strategy for mitigating > user tracking via HSTS. > > It should be suitable for webkit-dev, rather than the private security list, > right? I think we should still publish the blog post, if it's at all close to ready. Brent? - Maciej ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] HSTS user tracking
On Fri, Jan 5, 2018 at 3:11 PM, Brent Fulghamwrote: I’m sorry we haven’t been forthcoming with details. We have wanted to put together a blog post explaining our fix, but have been preoccupied with a number of other security issues. I will make this my top priority, or at least give a rough overview to the webkit-security folks if we can’t put together a blog-worthy document fast enough. Thanks, -Brent Hi, It'd still be great to get some details about your strategy for mitigating user tracking via HSTS. It should be suitable for webkit-dev, rather than the private security list, right? Michael ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] HSTS user tracking
I’m sorry we haven’t been forthcoming with details. We have wanted to put together a blog post explaining our fix, but have been preoccupied with a number of other security issues. I will make this my top priority, or at least give a rough overview to the webkit-security folks if we can’t put together a blog-worthy document fast enough. Thanks, -Brent > On Jan 5, 2018, at 12:58 PM, Maciej Stachowiakwrote: > > > Brent Fulgham or John Wilander would know the details. > > - Maciej > >> On Jan 5, 2018, at 8:04 AM, Michael Catanzaro wrote: >> >> >> Hi devs, >> >> Any info about how to mitigate this problem would be appreciated. Thanks! >> >> Michael >> >> ___ >> webkit-dev mailing list >> webkit-dev@lists.webkit.org >> https://lists.webkit.org/mailman/listinfo/webkit-dev > ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] HSTS user tracking
Brent Fulgham or John Wilander would know the details. - Maciej > On Jan 5, 2018, at 8:04 AM, Michael Catanzarowrote: > > > Hi devs, > > Any info about how to mitigate this problem would be appreciated. Thanks! > > Michael > > ___ > webkit-dev mailing list > webkit-dev@lists.webkit.org > https://lists.webkit.org/mailman/listinfo/webkit-dev ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] HSTS user tracking
Hi devs, Any info about how to mitigate this problem would be appreciated. Thanks! Michael ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
[webkit-dev] HSTS user tracking
Hi, I have a question about [1]. This article states: In early December, Apple released an update to iOS and Safari which disabled Criteo’s ability to exploit HSTS. This led to Criteo revising down their revenue forecasts and a sharp fall in their share price. How exactly does this update work? (We'll possibly want to adjust libsoup's forthcoming HSTS implementation accordingly.) Thanks, Michael [1] https://www.eff.org/deeplinks/2017/12/arms-race-against-trackers-safari-leads-criteo-30 ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev