#25929 closed defect (duplicate)

Critical breach in first-party isolation allowing users deanonimization and profiling

Reported by: cypherpunks Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


1 An adversary crawls the web creating a database storing the info about which website uses which certificates in the chain of trust, including resources.
2 The adversary setups a malicious website evil.com having large amount of subdomains each one using different certificates in the chain of trust, but NOT SENDING ALL OF THEM, each domain skips sending a single intermediate certificate.
1 A user opens a website stupid.com
2 The website stupid.com uses different resources from different sites using different CAs. All the certs are cached.
3 User closes stupid.com and visits evil.com. The website includes single pixel transparent images (or other resources) from all its crafted subdomains. If an intermediate cert is cached the connection succeeds. If it isn't it fails. This way the adversary knows which intermediate certs are cached and can reduce its uncertainty about the websites visited by a user. the attack doesn't require any JavaScript or CSS, only images.
4 If an adversary controls some of resources of stupid.com it can craft an unique set of intermediate certificates for every its user.

Child Tickets

Change History (2)

comment:1 Changed 20 months ago by cypherpunks

A PoC would be nice.

comment:2 Changed 20 months ago by gk

Resolution: duplicate
Status: newclosed

Duplicate of #21559.

Note: See TracTickets for help on using tickets.