Abuse Melding

Je hebt een klacht over de onderstaande posting:

08-07-2017, 14:13 door Anoniem

@ 'HSTS'wiper https://www.torproject.org/projects/torbrowser/design/ HSTS and HPKP supercookies An extreme (but not impossible) attack to mount is the creation of HSTS supercookies. Since HSTS effectively stores one bit of information per domain name, an adversary in possession of numerous domains can use them to construct cookies based on stored HSTS state. HPKP provides a mechanism for user tracking across domains as well. It allows abusing the requirement to provide a backup pin and the option to report a pin validation failure. In a tracking scenario every user gets a unique SHA-256 value serving as backup pin. This value is sent back after (deliberate) pin validation failures working in fact as a cookie. Design Goal: HSTS and HPKP MUST be isolated to the URL bar domain. Implementation Status: Currently, HSTS and HPKP state is both cleared by New Identity, but we don't defend against the creation and usage of any of these supercookies between New Identity invocations. Ook ...

Beschrijf je klacht (Optioneel):

captcha