Opened 7 years ago

Closed 6 years ago

Last modified 8 months ago

#5282 closed defect (fixed)

Randomize non-pipelined requests to defend against traffic fingerprinting

Reported by: mikeperry Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.3.x-stable
Component: Firefox Patch Issues Version:
Severity: Normal Keywords: MikePerry201204, tbb-no-uplift
Cc: g.koppen@… Actual Points: 12
Parent ID: #7027 Points: 4
Reviewer: Sponsor:

Description

According to Martin Henze (who works with Andriy Panchenko), the defense in #3914 is inadequate due to the fact that many sites forcibly disable pipelining.

He implemented a defense that randomizes non-pipelined HTTP requests as well, but it may need some cleanup. It also needs testing against their framework still, I believe.

Child Tickets

Attachments (1)

randomized-fetch-order.patch (4.6 KB) - added by mikeperry 7 years ago.
Patch by Martin Henze

Download all attachments as: .zip

Change History (10)

Changed 7 years ago by mikeperry

Patch by Martin Henze

comment:1 Changed 7 years ago by mikeperry

Status: newneeds_review

comment:2 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:3 Changed 7 years ago by mikeperry

Keywords: MikePerry201203 added

comment:4 Changed 7 years ago by mikeperry

SPDY just landed in Firefox 11. We probably want to look into that code during the review here.

comment:5 Changed 6 years ago by mikeperry

Keywords: MikePerry201204 added; MikePerry201203 removed

comment:6 Changed 6 years ago by mikeperry

Actual Points: 12
Points: 4
Resolution: fixed
Status: needs_reviewclosed

Ok, this is all set and merged. I had to alter the patch a bit to ensure request randomization. I also pinged Henze and Panchenko with the updated version.

I also looked into the SPDY spec briefly. It has the ability to store arbitrary state in the browser.. We'll want to neuter that, as well as reduce its insanely long keepalive duration. I have not put deep thought into how to do request randomization or stream limiting in spdy, though (or if it is really beneficial anymore in the face of the ultra-efficient request pipelining).

comment:7 Changed 6 years ago by mikeperry

Parent ID: #7027

comment:8 Changed 8 months ago by arthuredelstein

Keywords: tbb-no-uplift added
Severity: Blocker

comment:9 Changed 8 months ago by arthuredelstein

Severity: BlockerNormal
Note: See TracTickets for help on using tickets.