Closed Bug 1162542 Opened 9 years ago Closed 9 years ago

HSTS should not be shared between appIds

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: baku, Unassigned)

Details

Currently, in b2g, if the same page is opened by 2 different apps, we share HSTS settings and this can be used for tracking. Would be nice to have this information associate with the appId of the app.
I think the way that we currently do this is actually fine. I agree there's some information leakage, but until we see that starting to be exploited to do tracking or other bad things, I'd rather do things as we do them now since it has security benefits.
I agree with Jonas..

richard if you agree too, then please mark WONTFIX
Flags: needinfo?(rlb)
We don't permanently store HSTS information in private browsing.
Why we do that there if we think that having such information leaked is not a problem?
It seems an inconsistent behavior: private browsing is a kind of sandbox environment.
The same thing is b2g with appIds: sandboxes but just persistent.

I push to have this fix if it doesn't require a huge amount of work.
Flags: needinfo?(jonas)
I think private browsing is intended to provide stronger guarantees than our cookie jar implementation. With private browsing one goal is for example to ensure that there's no trace of the user visiting a website if the visit happened during private browsing.

Splitting the HSTS database on a per-cookie jar basis has security disadvantages, so even if it was zero-line fix, I don't think we'd actually want to do it.
Flags: needinfo?(jonas)
> Splitting the HSTS database on a per-cookie jar basis has security
> disadvantages, so even if it was zero-line fix, I don't think we'd actually
> want to do it.

Can you tell me more about this security disadvantages?
Flags: needinfo?(jonas)
(In reply to Andrea Marchesini (:baku) from comment #5)
>
> 
> Can you tell me more about this security disadvantages?

it would mean less use of https
I think, this is a really serious issue. I understand the security disadvantages, but there should at least be an option to prevent this type of tracking. It is unknown if this is not already exploited. Even if not: The time will come when it will, and until there comes a better solution, the user should be able to decide between security and privacy.
I'd like to finally get rich by offering an advanced user tracking service based on the sharing of HSTS information, but my efforts would be useless if you fix this feature too soon. So, is there kind of a guarantee that this will *not* be fixed in the near future? :-)
+1 to WONTFIX
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(rlb)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.