Hi, I have a question about [1]. This article states:
In early December, Apple released an update to iOS and Safari which disabled Criteo’s ability to exploit HSTS. This led to Criteo revising down their revenue forecasts and a sharp fall in their share price.
How exactly does this update work? (We'll possibly want to adjust libsoup's forthcoming HSTS implementation accordingly.) Thanks, Michael [1] https://www.eff.org/deeplinks/2017/12/arms-race-against-trackers-safari-lead...
Hi devs, Any info about how to mitigate this problem would be appreciated. Thanks! Michael
Brent Fulgham or John Wilander would know the details. - Maciej
On Jan 5, 2018, at 8:04 AM, Michael Catanzaro <mcatanzaro@igalia.com> wrote:
Hi devs,
Any info about how to mitigate this problem would be appreciated. Thanks!
Michael
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
I’m sorry we haven’t been forthcoming with details. We have wanted to put together a blog post explaining our fix, but have been preoccupied with a number of other security issues. I will make this my top priority, or at least give a rough overview to the webkit-security folks if we can’t put together a blog-worthy document fast enough. Thanks, -Brent
On Jan 5, 2018, at 12:58 PM, Maciej Stachowiak <mjs@apple.com> wrote:
Brent Fulgham or John Wilander would know the details.
- Maciej
On Jan 5, 2018, at 8:04 AM, Michael Catanzaro <mcatanzaro@igalia.com> wrote:
Hi devs,
Any info about how to mitigate this problem would be appreciated. Thanks!
Michael
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
On Fri, Jan 5, 2018 at 3:11 PM, Brent Fulgham <bfulgham@apple.com> wrote:
I’m sorry we haven’t been forthcoming with details. We have wanted to put together a blog post explaining our fix, but have been preoccupied with a number of other security issues.
I will make this my top priority, or at least give a rough overview to the webkit-security folks if we can’t put together a blog-worthy document fast enough.
Thanks,
-Brent
Hi, It'd still be great to get some details about your strategy for mitigating user tracking via HSTS. It should be suitable for webkit-dev, rather than the private security list, right? Michael
On Mar 1, 2018, at 10:44 AM, Michael Catanzaro <mcatanzaro@igalia.com> wrote:
On Fri, Jan 5, 2018 at 3:11 PM, Brent Fulgham <bfulgham@apple.com> wrote:
I´m sorry we haven´t been forthcoming with details. We have wanted to put together a blog post explaining our fix, but have been preoccupied with a number of other security issues. I will make this my top priority, or at least give a rough overview to the webkit-security folks if we can´t put together a blog-worthy document fast enough. Thanks, -Brent
Hi,
It'd still be great to get some details about your strategy for mitigating user tracking via HSTS.
It should be suitable for webkit-dev, rather than the private security list, right?
I think we should still publish the blog post, if it's at all close to ready. Brent? - Maciej
Sure — I’ll ask Jon to get it scheduled to post.
On Mar 1, 2018, at 11:50 AM, Maciej Stachowiak <mjs@apple.com> wrote:
On Mar 1, 2018, at 10:44 AM, Michael Catanzaro <mcatanzaro@igalia.com> wrote:
On Fri, Jan 5, 2018 at 3:11 PM, Brent Fulgham <bfulgham@apple.com> wrote:
I´m sorry we haven´t been forthcoming with details. We have wanted to put together a blog post explaining our fix, but have been preoccupied with a number of other security issues. I will make this my top priority, or at least give a rough overview to the webkit-security folks if we can´t put together a blog-worthy document fast enough. Thanks, -Brent
Hi,
It'd still be great to get some details about your strategy for mitigating user tracking via HSTS.
It should be suitable for webkit-dev, rather than the private security list, right?
I think we should still publish the blog post, if it's at all close to ready. Brent?
- Maciej
On Thu, Mar 1, 2018 at 7:44 PM, Michael Catanzaro <mcatanzaro@igalia.com> wrote:
It'd still be great to get some details about your strategy for mitigating user tracking via HSTS.
FWIW, some were posted by John Wilander at https://mailarchive.ietf.org/arch/msg/websec/t_R00ZDVHrBmroEX989GeaXdejE. -- https://annevankesteren.nl/
On Fri, Mar 2, 2018 at 4:37 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
FWIW, some were posted by John Wilander at https://mailarchive.ietf.org/arch/msg/websec/t_R00ZDVHrBmroEX989GeaXdejE.
That's exactly what I was looking for... thanks!
participants (4)
-
Anne van Kesteren
-
Brent Fulgham
-
Maciej Stachowiak
-
Michael Catanzaro