Collective-resistance: Sharing HSTS data
As part of the Collaborative ResistancE to Web Surveillance (CREWS)'s project with UCL we are going to build a prototype to understand of effectiveness of enhanced eavesdropping protection in Tor Browser.
To resist SSL-stripping attacks browsers (including Tor Browser) include predefined lists of websites that permit encryption and therefore should not permit downgrading. Some web browsers also respect HTTP Strict Transport Security (HSTS) settings to allows this list to be augmented by websites themselves, i.e. if a user visits a website once and encryption is ena- bled, the web browser will not permit a downgrade in the future. However, Tor Browser does not keep HSTS records because doing so could create a unique fingerprint of that user. In this project will therefore evaluate ways to allow users to share their HSTS data so that they can be aggregated, protect other Tor users, and also mitigate the risk of anonymity-set partitioning. Privacy-preserving aggregation techniques will be applied, 10 and users will be given the agency to decide whether to allow their data to be used in this way.