Opened 4 months ago

Last modified 4 months ago

#30981 new enhancement

Torbrowser/Torbirdy insecure settings

Reported by: cypherpunks Owned by: sukhbir
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Normal Keywords: certificates, history
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Described for Torbirdy, applicable in the same way to Torbrowser.

security.OCSP.enabled must be 0, after program restart 1
Leak of used https-certificates, also leak of certificates used to check signatures of e-mails, thus history of used certificates (i.e. website, signatures, keys, if tied to a certificate).

furthermore leak of fingerprint (in case of Torbirdy, should be secured with Torbrowser)
Accept:
Accept-Language:
Accept-Encoding:
...

Child Tickets

Change History (1)

comment:1 Changed 4 months ago by gk

Component: ApplicationsApplications/TorBirdy
Owner: set to sukhbir
Priority: HighMedium
Severity: CriticalNormal

I don't think we need to disabled OCSP as OCSP is first-party isolated in Tor Browser. Thus, this mechanism can't be used to track anyone across domains. Moving the ticket to Torbirdy to address the (remaining) issues there.

Note: See TracTickets for help on using tickets.