Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday November 20 2018, @08:02AM   Printer-friendly
from the eternal-vigilance-is-the-price-of-liberty dept.

Cryptographer Derek Zimmer at Private Internet Access blogs about a supercookie built into TLS 1.2 and 1.3. In principle, the new standards increase both securty and privacy through the use of better algorithms. In practice, the result falls short. Although the problem is worse in the older versions of TLS, a new feature in TLS, 0-RTT, actively impairs the ability to maintain privacy by skipping some renegotiation steps that pertain to generating new keys. Thus web sites and larger networks can follow individual connections as they move around, say home, work, café, etc. Browsers like Firefox contribute to the problem by enabling session IDs, Session Tickets, and 0-RTT by default even in their so-called Private Mode.

Complete steps for mitigation appear in the blog post, but the Firefox workaround is to set these values after opening about:config

security.tls.enable_0rtt_dataexisting keyfalse
security.ssl.disable_session_identifierscreate new keytrue
privacy.firstparty.isolateexisting keytrue
security.ssl.enable_false_startexisting keyfalse
NOTE with respect to privacy.firstparty.isolate: "(This setting can break websites that rely heavily on 3rd party libraries and scripts.)"

The blog notes "I am currently researching mitigations for this problem in Chrome, but full mitigation does not seem possible at this time." No statement is made about whether or not this is an issue (or, if it is, whether or not there are mitigations) with any other browsers or with command line utilities such as curl or wget.

[Updated 2018-11-20 to add warning about privacy.firstparty.isolate --martyb]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday November 21 2018, @01:13PM

    by Anonymous Coward on Wednesday November 21 2018, @01:13PM (#764690)

    That's what the CIA wants you to think o_O