Opened 4 years ago

#19229 new project

Canary monitoring

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Some websites put canaries into their Privacy Policy as a legal way to inform the users about gag orders. It is fine to have a browser extension checking for canaries and warn users if canary disappear.

If an extension discovers a valid canary, it caches the site as canaried. If a canary changes or disappears it informs the user. A DB of known canaries can be available as a subscription (like adblock one).

First it tries to discover a canary in the page. If it doesn't, it looks for meta or a element referring to ToS and privacy policy and looks for canaries there.

To discover a canary an extension searches in meta tags for it. If it finds a meta element with content having a canary it means it has a canary. This canary has the following format <meta name="any string" content="Any standardized canary message|valid date|b64 encoded EdDSA public key|b64 encoded EdDSA signature of PKCS7 padded everything before it"/>. The implementation must check the signature and pin public key.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.