Closed Bug 1500522 Opened 7 years ago Closed 4 years ago

User Browsing Data (Alt-Svc, HSTS, and Client Certificate Selection) data leaks to Content Process

Categories

(Core :: XPCOM, enhancement)

Product:
Core
Component:
XPCOM
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
91 Branch
Project Flags:
Fission Milestone Future

People

(Reporter: tjr, Assigned: keeler)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [spectre-blocker])

Inside of XPCOMInitData there is a member dataStorage. We pass this down to the child process in SetXPCOMProcessAttributes. As far as I can tell, this member will contain the data entries of the storage items listed here: https://searchfox.org/mozilla-central/source/security/manager/ssl/DataStorageList.h which will include information about what websites the user has previously visited. We'll need to figure out how to filter this or otherwise change things around so we're not leaking user browsing data.
See Also: → 1490784
See Also: → 1500558
Fission Milestone: --- → Future

Confirmed this is still the case. TRR Blacklist was removed but the Client Certificate choice was added. The Client Certificate data doesn't include the full cert or Common Name; but does include the Serial Number and Issuer Name (along with the site it was remembered for.) Besides leaking some user browser history this would certainly be a unique identifier for the user. (Somewhat mitigated that most users don't have Client Certificates I'm sure.)

Summary: User Browsing Data (Alt-Svc, HSTS, and TRR Blacklist) data leaks to Content Process → User Browsing Data (Alt-Svc, HSTS, and Client Certificate Selection) data leaks to Content Process
Blocks: 1707955

We discussed this and consider it a blocker for disabling Spectre mitigations.

Whiteboard: [spectre-blocker]

I dug into the data shared and the primary concerning one is the Issuer field of Client Certificates which is leaked. This wouldn't reveal your name, but it could reveal your employer, for example.

Tom - I think the changes in bug 1689191 may have addressed this. Is there anything still remaining here that needs to be done?

Flags: needinfo?(tom)

Indeed!

Status: NEW → RESOLVED
Closed: 4 years ago
Depends on: 1689191
Flags: needinfo?(tom)
Resolution: --- → FIXED
Assignee: nobody → dkeeler
Target Milestone: --- → 91 Branch
Whiteboard: [spectre-blocker] → [spectre-blocker][sp3]
See Also: https://mozilla-hub.atlassian.net/browse/SP3-78
Whiteboard: [spectre-blocker][sp3] → [spectre-blocker]
You need to log in before you can comment on or make changes to this bug.