W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2018

Re: [clear-site-data] User Tracking via TLS Session Resumption

From: Daniel Veditz <dveditz@mozilla.com>
Date: Thu, 1 Nov 2018 16:08:42 -0700
Message-ID: <CADYDTCBD9+iwfWHK7_QS233UaPKpnZqLDSRsxxGahTLVc0PNtQ@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Fri, Oct 26, 2018 at 1:41 AM Frederik Braun <fbraun@mozilla.com> wrote:

> Should "cache" include TLS session information?
> If not, should there be some sort of security-state flag for the
> Clear-Site-Data header which removes existing security state (e.g.,TLS
> session tickets, HPKP/HSTS values set through headers (assuming browser
> support)?
>

The spec already has the "cookies" parameter clear TLS Channel ID and bound
tokens.
https://w3c.github.io/webappsec-clear-site-data/#clear-cookies

Are TLS session tickets more like that or more like cache? Even if they
aren't really auth-like things would it be less confusing to lump all the
TLS-tracking things together?

Do we expect users of Clear-site-data to pick and choose types, or are they
just going to use "*" in practice?

-Dan Veditz
Received on Thursday, 1 November 2018 23:09:18 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 November 2018 23:09:18 UTC