Opened 3 years ago

Closed 3 years ago

#25929 closed defect (duplicate)

Critical breach in first-party isolation allowing users deanonimization and profiling

Reported by: cypherpunks Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


1 An adversary crawls the web creating a database storing the info about which website uses which certificates in the chain of trust, including resources.
2 The adversary setups a malicious website having large amount of subdomains each one using different certificates in the chain of trust, but NOT SENDING ALL OF THEM, each domain skips sending a single intermediate certificate.
1 A user opens a website
2 The website uses different resources from different sites using different CAs. All the certs are cached.
3 User closes and visits The website includes single pixel transparent images (or other resources) from all its crafted subdomains. If an intermediate cert is cached the connection succeeds. If it isn't it fails. This way the adversary knows which intermediate certs are cached and can reduce its uncertainty about the websites visited by a user. the attack doesn't require any JavaScript or CSS, only images.
4 If an adversary controls some of resources of it can craft an unique set of intermediate certificates for every its user.

Child Tickets

Change History (2)

comment:1 Changed 3 years ago by cypherpunks

A PoC would be nice.

comment:2 Changed 3 years ago by gk

Resolution: duplicate
Status: newclosed

Duplicate of #21559.

Note: See TracTickets for help on using tickets.