HTTP accept-language header fingerprinting detail
The English version of the Tor Browser's accept-language header is "en-us,en;q=0.5". According to the EFF's Panopticlick, the more common representation of this is "en-US,en;q=0.5", with the country code capitalized (4.7 bits of identifying information for en-US compared to 5.01 for en-us). The spec for language codes also capitalizes the country code, see https://tools.ietf.org/html/rfc5646 and http://www.w3.org/International/articles/language-tags/. The Tor Browser has it as "en-us" in 4.0.3 and 4.5a3.
Future versions of the Tor Browser might want to capitalize these country codes. I noticed this while playing around with making regular Firefox proxy through Tor, and seeing what it takes to fool https://check.torproject.org to think I am using the Tor Browser. It only checks the user-agent apparently, but https://panopticlick.eff.org was still able to distinguish FirefoxESR (with a user-agent override) from the Tor Browser based on this en-US/en-us difference.
Taken together with the user-agent, Panopticlick reports that the total fingerprint data is less identifying with "en-us", but this must be because all instances of the Tor Browser already have it that way. Changing it to "en-US" in the future will bring it more in line with the specs and what other browsers practice.
Trac:
Username: Leto