User Browsing Data (Alt-Svc, HSTS, and Client Certificate Selection) data leaks to Content Process
Categories
(Core :: XPCOM, enhancement)
Tracking
()
People
(Reporter: tjr, Assigned: keeler)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [spectre-blocker])
Inside of XPCOMInitData there is a member dataStorage. We pass this down to the child process in SetXPCOMProcessAttributes. As far as I can tell, this member will contain the data entries of the storage items listed here: https://searchfox.org/mozilla-central/source/security/manager/ssl/DataStorageList.h which will include information about what websites the user has previously visited. We'll need to figure out how to filter this or otherwise change things around so we're not leaking user browsing data.
|
||
Updated•5 years ago
|
|
Reporter | |
Comment 1•3 years ago
|
||
Confirmed this is still the case. TRR Blacklist was removed but the Client Certificate choice was added. The Client Certificate data doesn't include the full cert or Common Name; but does include the Serial Number and Issuer Name (along with the site it was remembered for.) Besides leaking some user browser history this would certainly be a unique identifier for the user. (Somewhat mitigated that most users don't have Client Certificates I'm sure.)
|
|
Reporter | |
Comment 2•3 years ago
|
||
We discussed this and consider it a blocker for disabling Spectre mitigations.
|
|
Reporter | |
Comment 3•3 years ago
|
||
I dug into the data shared and the primary concerning one is the Issuer field of Client Certificates which is leaked. This wouldn't reveal your name, but it could reveal your employer, for example.
|
Assignee | |
Comment 4•3 years ago
|
||
Tom - I think the changes in bug 1689191 may have addressed this. Is there anything still remaining here that needs to be done?
|
|
Reporter | |
Comment 5•2 years ago
|
||
Indeed!
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Description
•