Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mitigate HSTS fingerprinting #3419

Closed
jumde opened this issue Feb 19, 2019 · 0 comments · Fixed by brave/brave-core#1744
Closed

Mitigate HSTS fingerprinting #3419

jumde opened this issue Feb 19, 2019 · 0 comments · Fixed by brave/brave-core#1744
Assignees
Labels
browser-laptop-parity priority/P3 The next thing for us to work on. It'll ride the trains. QA/Test-Plan-Specified QA/Yes security

Comments

@jumde
Copy link
Contributor

jumde commented Feb 19, 2019

From: brave/browser-laptop#12223

Description

it has been reported in various places that Criteo is using HSTS supercookies (where they buy a bunch of domains and set HSTS on a different subset of domains for each user in order to uniquely identify them) for ad tracking. https://www.gothamcityresearch.com/single-post/2017/10/12/Criteo-SA-NASDAQ-CRTO-Why-We-Believe-Criteo%E2%80%99s-Undisclosed-Practices-are-Illegal-and-Harmful-to-Advertisers

possibilities:

  1. double-key HSTS
  2. disallow 3rd parties from setting HSTS

Test Plan

Specified here: brave/brave-core#1744

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
browser-laptop-parity priority/P3 The next thing for us to work on. It'll ride the trains. QA/Test-Plan-Specified QA/Yes security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants