Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate HSTS fingerprinting #3419

Closed
jumde opened this issue Feb 19, 2019 · 0 comments · Fixed by brave/brave-core#1744
Closed

Mitigate HSTS fingerprinting #3419

jumde opened this issue Feb 19, 2019 · 0 comments · Fixed by brave/brave-core#1744
Assignees
@jumde
Labels
browser-laptop-parity priority/P3 The next thing for us to work on. It'll ride the trains. QA/Test-Plan-Specified QA/Yes security
Projects
Security & Privacy Shields
Milestone
Closed / Dupe / I...

Comments

@jumde
Copy link
Contributor

jumde commented Feb 19, 2019
edited
Loading

From: brave/browser-laptop#12223

Description

it has been reported in various places that Criteo is using HSTS supercookies (where they buy a bunch of domains and set HSTS on a different subset of domains for each user in order to uniquely identify them) for ad tracking. https://www.gothamcityresearch.com/single-post/2017/10/12/Criteo-SA-NASDAQ-CRTO-Why-We-Believe-Criteo%E2%80%99s-Undisclosed-Practices-are-Illegal-and-Harmful-to-Advertisers

possibilities:

  1. double-key HSTS
  2. disallow 3rd parties from setting HSTS

Test Plan

Specified here: brave/brave-core#1744
@jumde jumde added the security label Feb 19, 2019
@jumde jumde self-assigned this Feb 19, 2019
@tildelowengrimm tildelowengrimm added this to Untriaged Backlog in Security & Privacy via automation Feb 19, 2019
@tildelowengrimm tildelowengrimm added this to Untriaged / Incoming in Shields via automation Feb 19, 2019
@tildelowengrimm tildelowengrimm added the priority/P3 The next thing for us to work on. It'll ride the trains. label Feb 19, 2019
@tildelowengrimm tildelowengrimm moved this from Untriaged / Incoming to Feature Backlog in Shields Feb 19, 2019
@tildelowengrimm tildelowengrimm moved this from Untriaged Backlog to P3, P4, & P5 Backlog in Security & Privacy Feb 19, 2019
@jumde jumde mentioned this issue Feb 20, 2019
Merged
18 tasks
@diracdeltas diracdeltas moved this from P3, P4, & P5 Backlog to In Progress in Security & Privacy Feb 20, 2019
@jumde jumde mentioned this issue Feb 27, 2019
Closed
Security & Privacy automation moved this from In Progress to Completed Mar 1, 2019
Shields automation moved this from Feature Backlog to Completed Mar 1, 2019
@jumde jumde mentioned this issue Sep 8, 2019
Closed
@bbondy bbondy added this to the Closed / Invalid milestone Jun 3, 2020
@goodov goodov mentioned this issue Apr 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jumde jumde

Labels
browser-laptop-parity priority/P3 The next thing for us to work on. It'll ride the trains. QA/Test-Plan-Specified QA/Yes security
Projects
Security & Privacy
  
Completed
Shields
  
Completed
Milestone
Closed / Dupe / Invalid
Development

Successfully merging a pull request may close this issue.

Issue 3419: Mitigate HSTS fingerprinting brave/brave-core
4 participants
@diracdeltas @tildelowengrimm @bbondy @jumde