SoylentNews

SuperCooKey – A SuperCookie Built Into TLS 1.2 and 1.3 [Updated]

posted by martyb on Tuesday November 20 2018, @08:02AM   
from the eternal-vigilance-is-the-price-of-liberty dept.

canopic jug writes:

Cryptographer Derek Zimmer at Private Internet Access blogs about a supercookie built into TLS 1.2 and 1.3. In principle, the new standards increase both securty and privacy through the use of better algorithms. In practice, the result falls short. Although the problem is worse in the older versions of TLS, a new feature in TLS, 0-RTT, actively impairs the ability to maintain privacy by skipping some renegotiation steps that pertain to generating new keys. Thus web sites and larger networks can follow individual connections as they move around, say home, work, café, etc. Browsers like Firefox contribute to the problem by enabling session IDs, Session Tickets, and 0-RTT by default even in their so-called Private Mode.

Complete steps for mitigation appear in the blog post, but the Firefox workaround is to set these values after opening about:config

security.tls.enable_0rtt_data	existing key	false
security.ssl.disable_session_identifiers	create new key	true
privacy.firstparty.isolate	existing key	true
security.ssl.enable_false_start	existing key	false

NOTE with respect to privacy.firstparty.isolate: "(This setting can break websites that rely heavily on 3rd party libraries and scripts.)"

The blog notes "I am currently researching mitigations for this problem in Chrome, but full mitigation does not seem possible at this time." No statement is made about whether or not this is an issue (or, if it is, whether or not there are mitigations) with any other browsers or with command line utilities such as curl or wget.

[Updated 2018-11-20 to add warning about privacy.firstparty.isolate --martyb]

---

Original Submission

• If your VPN is blockedIf your VPN is blocked (Score: 5, Informative) by DannyB on Tuesday November 20 2018, @07:45PM (2 children)

  by DannyB (5839) on Tuesday November 20 2018, @07:45PM (#764365) Journal

  VPN through HTTPS Proxy with SSH [tobru.ch]

  If you are in a situation where you are locked in a network which has all ports closed to the outside, but there is a HTTP(S) proxy available, then you're lucky and can create a VPN easily using some nice tricks.

  Prerequisites

  You need to have access to a SSH daemon which can be configured to listen on port 443. And you need root rights for everything described here.

  You can buy a cheap $5 / month cloud VPS from Linode or Digital Ocean. 1 cpu + 1 GB ram. You can put whatever Linux you want on it and configure any way you want. For that price, you can not only have SSH, and a VPN, but a web site, and anything else you want to put on a small server that you control.

  --
  Why is it so difficult to break a heroine addiction?

  Starting Score:	1		point
  Moderation		+3
  Interesting=1, Informative=2, Total=3
  Extra 'Informative' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		5

• Re:If your VPN is blockedRe:If your VPN is blocked (Score: 2) by Freeman on Wednesday November 21 2018, @03:58PM (1 child)

  by Freeman (732) on Wednesday November 21 2018, @03:58PM (#764775) Journal

  Highly not recommended, if your employer really doesn't want you using a VPN. Doing something to get around their "safe guards" could get you fired.

  --
  Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"

  Parent

  • Re:If your VPN is blocked(Score: 3, Insightful) by DannyB on Wednesday November 21 2018, @06:31PM

    by DannyB (5839) on Wednesday November 21 2018, @06:31PM (#764870) Journal

    That is a good point.

    I'm thinking of how to evade as a puzzle to be solved.

    And a purely hypothetical one for me, since my workplace doesn't have such 'safe' guards.

    --
    Why is it so difficult to break a heroine addiction?

    Parent