Opened 3 years ago

Closed 2 years ago

Last modified 7 weeks ago

#16673 closed defect (fixed)

Isolate/Disable HTTP Alternative-Services

Reported by: mikeperry Owned by: arthuredelstein
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff45-esr, tbb-linkability, tbb-6.0a5, TorBrowserTeam201604R
Cc: mcs, gk, arthuredelstein, mahrud Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

HTTP Alternative Services header (https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-06) allows websites to tell clients to cache destination and protocol settings for certain websites.

While this header enables things like opportunistic encryption, http2 discovery, etc, unfortunately it is both a supercookie vector and a third party tracking vector. Luckily for us, it was disabled for Firefox 38 because the initial implementation also enabled URL bar spoofing vulnerabilities.

However, for Firefox 45, we will either need to isolate it, or ensure it remains disabled.

Child Tickets

Change History (12)

comment:1 Changed 3 years ago by mikeperry

Summary: Isolate HTTP Alternative-ServicesIsolate/Disable HTTP Alternative-Services

comment:2 Changed 3 years ago by mcs

Cc: mcs added

comment:3 Changed 3 years ago by gk

Cc: gk added

comment:4 Changed 2 years ago by gk

Keywords: tbb-6.0a5 added

comment:5 Changed 2 years ago by arthuredelstein

Cc: arthuredelstein added
Owner: changed from tbb-team to arthuredelstein
Severity: Normal
Status: newaccepted

comment:6 Changed 2 years ago by gk

Keywords: TorBrowserTeam201604 added

We want that for the alpha and the ESR 45 stable series.

comment:7 Changed 2 years ago by arthuredelstein

Status: acceptednew

comment:8 Changed 2 years ago by arthuredelstein

Keywords: TorBrowserTeam201604R added; TorBrowserTeam201604 removed
Status: newneeds_review

Here's a (hopefully temporary) patch to disable HTTP Alternative-Services. Please review.

https://github.com/arthuredelstein/tor-browser/commit/16673
Hash 96678405d976d4b0d9d707d955a7aae67f9e7b1a

(I would suggest we leave this ticket open, even if we land this patch, so we can go back and figure out if applying first-party isolation with these prefs enabled is feasible.)

Last edited 2 years ago by arthuredelstein (previous) (diff)

comment:9 in reply to:  8 Changed 2 years ago by arthuredelstein

Replying to arthuredelstein:

Here's a (hopefully temporary) patch to disable HTTP Alternative-Services. Please review.

https://github.com/arthuredelstein/tor-browser/commit/16673
Hash 96678405d976d4b0d9d707d955a7aae67f9e7b1a

FWIW, this was based on the patch here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1113790#c0

comment:10 in reply to:  8 Changed 2 years ago by mcs

Replying to arthuredelstein:

Here's a (hopefully temporary) patch to disable HTTP Alternative-Services. Please review.

https://github.com/arthuredelstein/tor-browser/commit/16673
Hash 96678405d976d4b0d9d707d955a7aae67f9e7b1a

r=mcs
This looks good to me.

comment:11 Changed 2 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

This is commit c09f525e5fab36a204291a2cae018a98be92018a on tor-browser-45.0.2esr-6.x-1.

comment:12 Changed 7 weeks ago by mahrud

Cc: mahrud added
Note: See TracTickets for help on using tickets.