Re: [webkit-dev] HSTS user tracking

[Michael Catanzaro]

On Fri, Mar 2, 2018 at 4:37 AM, Anne van Kesteren  
wrote:

FWIW, some were posted by John Wilander at
https://mailarchive.ietf.org/arch/msg/websec/t_R00ZDVHrBmroEX989GeaXdejE.


That's exactly what I was looking for... thanks!

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] HSTS user tracking

[Anne van Kesteren]

On Thu, Mar 1, 2018 at 7:44 PM, Michael Catanzaro  wrote:
> It'd still be great to get some details about your strategy for mitigating
> user tracking via HSTS.

FWIW, some were posted by John Wilander at
https://mailarchive.ietf.org/arch/msg/websec/t_R00ZDVHrBmroEX989GeaXdejE.


-- 
https://annevankesteren.nl/
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] HSTS user tracking

[Brent Fulgham]

Sure — I’ll ask Jon to get it scheduled to post.

> On Mar 1, 2018, at 11:50 AM, Maciej Stachowiak  wrote:
> 
> 
> 
>> On Mar 1, 2018, at 10:44 AM, Michael Catanzaro  wrote:
>> 
>> On Fri, Jan 5, 2018 at 3:11 PM, Brent Fulgham  wrote:
>>> I´m sorry we haven´t been forthcoming with details. We have wanted to put 
>>> together a blog post explaining our fix, but have been preoccupied with a 
>>> number of other security issues.
>>> I will make this my top priority, or at least give a rough overview to the 
>>> webkit-security folks if we can´t put together a blog-worthy document fast 
>>> enough.
>>> Thanks,
>>> -Brent
>> 
>> Hi,
>> 
>> It'd still be great to get some details about your strategy for mitigating 
>> user tracking via HSTS.
>> 
>> It should be suitable for webkit-dev, rather than the private security list, 
>> right?
> 
> I think we should still publish the blog post, if it's at all close to ready. 
> Brent?
> 
> - Maciej
> 

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] HSTS user tracking

[Maciej Stachowiak]

> On Mar 1, 2018, at 10:44 AM, Michael Catanzaro  wrote:
> 
> On Fri, Jan 5, 2018 at 3:11 PM, Brent Fulgham  wrote:
>> I´m sorry we haven´t been forthcoming with details. We have wanted to put 
>> together a blog post explaining our fix, but have been preoccupied with a 
>> number of other security issues.
>> I will make this my top priority, or at least give a rough overview to the 
>> webkit-security folks if we can´t put together a blog-worthy document fast 
>> enough.
>> Thanks,
>> -Brent
> 
> Hi,
> 
> It'd still be great to get some details about your strategy for mitigating 
> user tracking via HSTS.
> 
> It should be suitable for webkit-dev, rather than the private security list, 
> right?

I think we should still publish the blog post, if it's at all close to ready. 
Brent?

 - Maciej

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] HSTS user tracking

[Michael Catanzaro]

On Fri, Jan 5, 2018 at 3:11 PM, Brent Fulgham  
wrote:
I’m sorry we haven’t been forthcoming with details. We have 
wanted to put together a blog post explaining our fix, but have been 
preoccupied with a number of other security issues.


I will make this my top priority, or at least give a rough overview 
to the webkit-security folks if we can’t put together a blog-worthy 
document fast enough.


Thanks,

-Brent


Hi,

It'd still be great to get some details about your strategy for 
mitigating user tracking via HSTS.


It should be suitable for webkit-dev, rather than the private security 
list, right?


Michael

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] HSTS user tracking

[Brent Fulgham]

I’m sorry we haven’t been forthcoming with details. We have wanted to put 
together a blog post explaining our fix, but have been preoccupied with a 
number of other security issues.

I will make this my top priority, or at least give a rough overview to the 
webkit-security folks if we can’t put together a blog-worthy document fast 
enough.

Thanks,

-Brent

> On Jan 5, 2018, at 12:58 PM, Maciej Stachowiak  wrote:
> 
> 
> Brent Fulgham or John Wilander would know the details.
> 
> - Maciej
> 
>> On Jan 5, 2018, at 8:04 AM, Michael Catanzaro  wrote:
>> 
>> 
>> Hi devs,
>> 
>> Any info about how to mitigate this problem would be appreciated. Thanks!
>> 
>> Michael
>> 
>> ___
>> webkit-dev mailing list
>> webkit-dev@lists.webkit.org
>> https://lists.webkit.org/mailman/listinfo/webkit-dev
> 

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] HSTS user tracking

[Maciej Stachowiak]

Brent Fulgham or John Wilander would know the details.

 - Maciej

> On Jan 5, 2018, at 8:04 AM, Michael Catanzaro  wrote:
> 
> 
> Hi devs,
> 
> Any info about how to mitigate this problem would be appreciated. Thanks!
> 
> Michael
> 
> ___
> webkit-dev mailing list
> webkit-dev@lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Re: [webkit-dev] HSTS user tracking

[Michael Catanzaro]

Hi devs,

Any info about how to mitigate this problem would be appreciated. 
Thanks!


Michael

___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

[webkit-dev] HSTS user tracking

[Michael Catanzaro]

Hi,

I have a question about [1]. This article states:

In early December, Apple released an update to iOS and Safari which 
disabled Criteo’s ability to exploit HSTS. This led to Criteo 
revising down their revenue forecasts and a sharp fall in their share 
price.


How exactly does this update work? (We'll possibly want to adjust 
libsoup's forthcoming HSTS implementation accordingly.)


Thanks,

Michael

[1] 
https://www.eff.org/deeplinks/2017/12/arms-race-against-trackers-safari-leads-criteo-30


___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev