Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday November 20 2018, @08:02AM   Printer-friendly
from the eternal-vigilance-is-the-price-of-liberty dept.

Cryptographer Derek Zimmer at Private Internet Access blogs about a supercookie built into TLS 1.2 and 1.3. In principle, the new standards increase both securty and privacy through the use of better algorithms. In practice, the result falls short. Although the problem is worse in the older versions of TLS, a new feature in TLS, 0-RTT, actively impairs the ability to maintain privacy by skipping some renegotiation steps that pertain to generating new keys. Thus web sites and larger networks can follow individual connections as they move around, say home, work, café, etc. Browsers like Firefox contribute to the problem by enabling session IDs, Session Tickets, and 0-RTT by default even in their so-called Private Mode.

Complete steps for mitigation appear in the blog post, but the Firefox workaround is to set these values after opening about:config

security.tls.enable_0rtt_dataexisting keyfalse
security.ssl.disable_session_identifierscreate new keytrue
privacy.firstparty.isolateexisting keytrue
security.ssl.enable_false_startexisting keyfalse
NOTE with respect to privacy.firstparty.isolate: "(This setting can break websites that rely heavily on 3rd party libraries and scripts.)"

The blog notes "I am currently researching mitigations for this problem in Chrome, but full mitigation does not seem possible at this time." No statement is made about whether or not this is an issue (or, if it is, whether or not there are mitigations) with any other browsers or with command line utilities such as curl or wget.

[Updated 2018-11-20 to add warning about privacy.firstparty.isolate --martyb]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by Freeman on Tuesday November 20 2018, @07:11PM (1 child)

    by Freeman (732) on Tuesday November 20 2018, @07:11PM (#764344) Journal

    I know the place I work for blocks things like TOR, and other proxy / relay / vpn services. It's not an uncommon practice, because reasons. One possible reason being control of the flow of traffic on their own network.

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by DannyB on Tuesday November 20 2018, @07:45PM

    by DannyB (5839) Subscriber Badge on Tuesday November 20 2018, @07:45PM (#764367) Journal

    See my post below about 'if your vpn is blocked'.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.