Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
T
Tor Browser
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1,532
    • Issues 1,532
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 1
    • Merge Requests 1
  • Operations
    • Operations
    • Incidents
  • Analytics
    • Analytics
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • The Tor Project
  • Applications
  • Tor Browser
  • Issues
  • #40295

Closed
Open
Opened Jan 15, 2021 by Gaba@gaba☀Owner

Collective-resistance: Sharing HSTS data

As part of the Collaborative ResistancE to Web Surveillance (CREWS)'s project with UCL we are going to build a prototype to understand of effectiveness of enhanced eavesdropping protection in Tor Browser.

To resist SSL-stripping attacks browsers (including Tor Browser) include predefined lists of websites that permit encryption and therefore should not permit downgrading. Some web browsers also respect HTTP Strict Transport Security (HSTS) settings to allows this list to be augmented by websites themselves, i.e. if a user visits a website once and encryption is ena- bled, the web browser will not permit a downgrade in the future. However, Tor Browser does not keep HSTS records because doing so could create a unique fingerprint of that user. In this project will therefore evaluate ways to allow users to share their HSTS data so that they can be aggregated, protect other Tor users, and also mitigate the risk of anonymity-set partitioning. Privacy-preserving aggregation techniques will be applied, 10 and users will be given the agency to decide whether to allow their data to be used in this way.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Sponsor 103: Collaborative ResistancE to Web Surveillance (CREWS)
Milestone
Sponsor 103: Collaborative ResistancE to Web Surveillance (CREWS)
Assign milestone
Time tracking
Feb 28, 2021
Due date
Feb 28, 2021
Reference: tpo/applications/tor-browser#40295