#18589: Tor browser writes SiteSecurityServiceState.txt with usage history
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: assigned
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-disk-leak | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gacar):
Although the number of preloaded STS sites is small, popular STS sites are
more likely to be included in the preload list:
|| '''Site rank''' || '''# of preloaded STS sites[[BR]]/[[BR]]# of STS
enabled sites''' ||
|| Top 10 || 33% ||
|| Top 100 || 24% ||
|| Top 1K || 16.5% ||
|| Top 10K || 12.5% ||
|| Top 100K || 8.5% ||
|| Top 1M || 4.7% (1883/39408) ||
Anyways, I think the privacy risk of revealing browsing history still
outweighs the potential security benefits.
PS: I should also note that I couldn't completely reproduce the problem
with 6.5.1 and 7.0a2 on Linux 64. Although I visited several sites that
send HSTS headers, only a few TPO and AMO-related domains
(aus1.torproject.org, www.torproject.org, aus1.torproject.org) added to
the SiteSecurityServiceState.txt (something to do with the chrome vs
content connections?).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18589#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
