More Torbutton Header Issues
Hi guys this is zak, i am testing the new alpha version of Firefox 4 Tor Browser Bundle for Windows and i think that there might be a problem with the new torbutton 1.3.2-alpha , it seems that the browser does not have the torbutton header signature. I have actually found a way to make it right but it's very chaotic and it does not solve the problem in a proper way. Let me know if you need more details. BY
Trac:
Username: zak
Activity
Replying to zak:
Hi guys this is zak, i am testing the new alpha version of Firefox 4 Tor Browser Bundle for Windows and i think that there might be a problem with the new torbutton 1.3.2-alpha , it seems that the browser does not have the torbutton header signature. I have actually found a way to make it right but it's very chaotic and it does not solve the problem in a proper way. Let me know if you need more details. BY
What do you mean by "torbutton header signature"? If you are referring to user-agent and/or 'referrers' see below (tested via http://browserspy.dk/headers.php). The only difference I see is an extra space in http_accept_encoding between "gzip," and "deflate" in TorButton 1.3.2-alpha vs TorButton 1.2.5. Granted, TorButton 1.3.2-alpha has 'smart' referrer spoofing and TorButton 1.2.5 does not; that issue can be resolved by adding the Firefox Add-on "Refcontrol" to Tor Browser Bundle v1.3.23 and configuring Refcontrol to 'forge'.
TorButton v1.2.5 (testing Tor Browser Bundle v1.3.23):
TorButton v1.3.2-alpha (testing Tor Browser Bundle v2.2.24-1 alpha):
Trac:
Username: HG2G-
Hi this is zak, thanks for answering. I am the one who made the screen shot and highlighted in red the interesting parts . The test is the jondo test for jondo and tor that you can find here: http://ip-check.info/?lang=en. I executed lots of test like the Deanonymizer test (http://deanonymizer.com/test.php) and so far everything is fine and the torbutton seems doing well. In the first test you will also see that jondo does not seem to approve the smartspoof (their point is that the header of the browser does not change only when changing domain but also when changing sub-domain). I also executed this test on linux and the results are the same as on windows.I do not know if there is a real problem in terms of security, the only problem I see is that if there are, for example, 100 people using the configuration shown in the photo tb2 (this is the configuration of the Firefox 4 Tor Browser Bundle for Windows with firefox4 and torbutton 1.3.2 alpha after some changes but it's also the configuration of firefox3 with Torbutton 1.2.5) and there are 10 people using the configuration shown on the TB1 shot (this is the configuration of firefox4 with Torbutton 1.3.2. alpha),then it will be much easier to distinguish the ten from the other. Let me know if you need more details in order to explain the problem better (by the way i am a huge fan) by
Trac:
Username: zak 
What do you think the problem is? If you're just wondering why we haven't replied, it is because the issues in your images actually represent several different bugs.
Additionally, a lot of the fields here are in dispute in terms of how useful it is to deal with them, and what the best way to do that is. We can't block all of them without having a serious impact on web functionality.. However, we are looking into solutions for window.name, fonts, and better options for screen resolution. See #2875 (closed), #2872 (closed), #3414 (closed).
