Open Bug 1216735 Opened 10 years ago Updated 3 years ago

Options to control HSTS

Categories

(Core :: Networking: HTTP, enhancement, P5)

Product:
Core
Component:
Networking: HTTP
Version:
41 Branch
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: sworddragon2, Unassigned)

Details

(Whiteboard: [necko-would-take])

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 Build ID: 20151016093648 Actual results: HSTS provides a new security feature but also makes it easier to track the user. So it may be useful to give the user more control over HSTS. Expected results: Options could be: - A general option to en-/disable HSTS. - A client-sided lifetime option that does force expiring HSTS entries after the chosen amount of seconds. - An option to force expiring HSTS entries if Firefox gets closed. Also I have read that it is possible that domains can read set informations from other domains. In case this is true I'm not aware what the use of this behavior is. If there is no use this should be restricted and if there is an use an option to disable this cross domain reading can be maybe added if that would not fully break HSTS.
Severity: normal → enhancement
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
(In reply to sworddragon2 from comment #0) > HSTS provides a new security feature but also makes it easier to track the > user. How? Gerv
Because the HSTS database acts as a supercookie. You can test yourself if your HSTS setup makes you trackable for example by visiting this site: http://www.radicalresearch.co.uk/lab/hstssupercookies
(In reply to sworddragon2 from comment #2) > Because the HSTS database acts as a supercookie. You can test yourself if > your HSTS setup makes you trackable for example by visiting this site: > http://www.radicalresearch.co.uk/lab/hstssupercookies It's not a "supercookie" - we clear HSTS flags when we clear cookies. The site you link to says: "The impact is that it's possible for a site to track you even if you choose to use "incognito" or "private" browsing features in an effort to avoid such tracking." But private browsing mode was not, historically at least, about avoiding being tracked. It was about keeping your history private from other users of your computer. Now we've added some tracking avoidance to PBM, however, this becomes more of a reasonable point. So NI margaret. Gerv
Flags: needinfo?(margaret.leibovic)
Redirecting to Javaun. He's a better person to handle product decisions around PB and tracking protection.
Flags: needinfo?(margaret.leibovic) → needinfo?(jmoradi)
I'm not sure I'm answering this correctly and NI'ing Fracois, platform lead on Tracking Protection. Gerv is correct about the traditional definition of PBM, we have only been concerned with the local privacy threat. In our tracking protection feature definition and our list policy definition we seek to restrict third-party tracking, not first party. Beyond HSTS, that would mean that a first-party could track you via other technical means, such as canvas fingerprinting or system clock. From a user point-of-view, we look at intent. If you visit site example.com, you're directly engaging with them but are not necessarily informed that you may be exposed to third-parties. That's why we focus on third-party tracking. The first-party site may still be a bad actor, but that's an explicit choice the user made to visit it. As a practical matter, first party sites may have far more personal data than a tracking pixel may deliver. If the first-party is your email provider, or a social network, they may have your private emails, photos of your family, birthdays, etc. Fingerprinting is the least of your worries if you don't trust them with that information.
Flags: needinfo?(jmoradi) → needinfo?(francois)
Flags: needinfo?(francois)
Whiteboard: [necko-would-take]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.