Hey all,
Since tor devs have thought about how to handle TLS Session Tickets and Identifiers, I want to capture that approach and stick it into our NetCipher library, which is also used in Orfox. As I understand it, the approach is:
* disable TLS Session Tickets entirely * reset TLS Session Identifiers on NEWNYM
Any plans to rethink this for TLS v1.3? Any other TLS tracking issues I should be addressing in NetCipher? I'd also appreciate any references on this topic (yes, I know how to find the relevant RFCs ;), like tor trac tickets. My searches have come up with very little.
.hc
The info I gave you was for Tor Browser, the the latter (about session ID) is actually wrong. TBB disables both.
https://trac.torproject.org/projects/tor/ticket/20447#ticket https://gitweb.torproject.org/tor-browser.git/tree/security/manager/ssl/nsNS...
Also: https://trac.torproject.org/projects/tor/ticket/4099
Core Tor also disables both also AFAICT: https://gitweb.torproject.org/tor.git/commit/?id=8743080a289a20bfaf0a67d6382... https://gitweb.torproject.org/tor.git/tree/src/common/tortls.c#n1164
-tom
Tom Ritter:
The info I gave you was for Tor Browser, the the latter (about session ID) is actually wrong. TBB disables both.
https://trac.torproject.org/projects/tor/ticket/20447#ticket https://gitweb.torproject.org/tor-browser.git/tree/security/manager/ssl/nsNS...
Don't forget https://trac.torproject.org/projects/tor/ticket/17252 which is our medium/long term plan.
I spoke about binding the TLS session resumption and ID to the URL bar domain with some Mozilla folks a while back and they seemed to be quite amenable to this kind of patch idea. I guess I finally should file that bug in Mozilla's bugtracker to get it on everybody's radar...
Georg
Core Tor also disables both also AFAICT: https://gitweb.torproject.org/tor.git/commit/?id=8743080a289a20bfaf0a67d6382... https://gitweb.torproject.org/tor.git/tree/src/common/tortls.c#n1164
-tom _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Georg Koppen:
Tom Ritter:
The info I gave you was for Tor Browser, the the latter (about session ID) is actually wrong. TBB disables both.
https://trac.torproject.org/projects/tor/ticket/20447#ticket https://gitweb.torproject.org/tor-browser.git/tree/security/manager/ssl/nsNS...
Don't forget https://trac.torproject.org/projects/tor/ticket/17252 which is our medium/long term plan.
I spoke about binding the TLS session resumption and ID to the URL bar domain with some Mozilla folks a while back and they seemed to be quite amenable to this kind of patch idea. I guess I finally should file that bug in Mozilla's bugtracker to get it on everybody's radar...
Georg
Core Tor also disables both also AFAICT: https://gitweb.torproject.org/tor.git/commit/?id=8743080a289a20bfaf0a67d6382... https://gitweb.torproject.org/tor.git/tree/src/common/tortls.c#n1164
-tom
Thanks for this. I'll have to convert this to Java and get it integrated into NetCipher. This affects Orfox/Fennec by the way. Fennec uses Java code to fetch some things. I think the favicon is fetched with Java code, for example.
.hc
-
Georg Koppen -
Hans-Christoph Steiner -
Tom Ritter