Opened 8 years ago

Closed 7 years ago

#3018 closed defect (user disappeared)

More Torbutton Header Issues

Reported by: zak Owned by: mikeperry
Priority: High Milestone:
Component: TorBrowserButton Version: Torbutton: 1.3.0-alpha
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hi guys this is zak, i am testing the new alpha version of Firefox 4 Tor Browser Bundle for Windows and i think that there might be a problem with the new torbutton 1.3.2-alpha , it seems that the browser does not have the torbutton header signature. I have actually found a way to make it right but it's very chaotic and it does not solve the problem in a proper way. Let me know if you need more details. BY

Child Tickets

Attachments (5)

tb1.JPG (1.9 MB) - added by zak 8 years ago.
tb2.JPG (1.7 MB) - added by zak 8 years ago.
HyuaA.jpg (104.8 KB) - added by rransom 8 years ago.
screenshot
p3UTj.jpg (102.2 KB) - added by rransom 8 years ago.
screenshot
tor-browser-2.2.25-1-alpha_en-US.JPG (2.3 MB) - added by zak 8 years ago.
tor-browser-2.2.25-1-alpha

Change History (14)

comment:1 in reply to:  description Changed 8 years ago by HG2G

Replying to zak:

Hi guys this is zak, i am testing the new alpha version of Firefox 4 Tor Browser Bundle for Windows and i think that there might be a problem with the new torbutton 1.3.2-alpha , it seems that the browser does not have the torbutton header signature. I have actually found a way to make it right but it's very chaotic and it does not solve the problem in a proper way. Let me know if you need more details. BY

What do you mean by "torbutton header signature"? If you are referring to user-agent and/or 'referrers' see below (tested via http://browserspy.dk/headers.php). The only difference I see is an extra space in http_accept_encoding between "gzip," and "deflate" in TorButton 1.3.2-alpha vs TorButton 1.2.5. Granted, TorButton 1.3.2-alpha has 'smart' referrer spoofing and TorButton 1.2.5 does not; that issue can be resolved by adding the Firefox Add-on "Refcontrol" to Tor Browser Bundle v1.3.23 and configuring Refcontrol to 'forge'.

TorButton v1.2.5 (testing Tor Browser Bundle v1.3.23):

http://i.imgur.com/HyuaA.jpg

TorButton v1.3.2-alpha (testing Tor Browser Bundle v2.2.24-1 alpha):

http://i.imgur.com/p3UTj.jpg

Changed 8 years ago by zak

Attachment: tb1.JPG added

Changed 8 years ago by zak

Attachment: tb2.JPG added

comment:2 Changed 8 years ago by zak

Owner: changed from mikeperry to zak
Status: newassigned

HI and thanks for answering, i just added two files that might explain where the problem is. tb1 shows how things look and tb2 is how they look after some changes. I will keep touch, by and thanks again for answering

comment:3 Changed 8 years ago by rransom

Owner: changed from zak to mikeperry

comment:4 Changed 8 years ago by mikeperry

Component: TorbuttonTorBrowserButton
Priority: normalmajor
Summary: torbutton problem with Firefox 4 Tor Browser Bundle for Windows (alpha)More Torbutton Header Issues

Zak - what site is that you screenshotted? Do you get a similar result with the one HG2G mentioned?

comment:5 Changed 8 years ago by zak

Hi this is zak, thanks for answering.
I am the one who made the screen shot and highlighted in red the interesting parts . The test is the jondo test for jondo and tor that you can find here: http://ip-check.info/?lang=en.
I executed lots of test like the Deanonymizer test (http://deanonymizer.com/test.php) and so far everything is fine and the torbutton seems doing well.
In the first test you will also see that jondo does not seem to approve the smartspoof (their point is that the header of the browser does not change only when changing domain but also when changing sub-domain).
I also executed this test on linux and the results are the same as on windows.I do not know if there is a real problem in terms of security, the only problem I see is that if there are, for example, 100 people using the configuration shown in the photo tb2 (this is the configuration of the Firefox 4 Tor Browser Bundle for Windows with firefox4 and torbutton 1.3.2 alpha after some changes but it's also the configuration of firefox3 with Torbutton 1.2.5) and there are 10 people using the configuration shown on the TB1 shot (this is the configuration of firefox4 with Torbutton 1.3.2. alpha),then it will be much easier to distinguish the ten from the other. Let me know if you need more details in order to explain the problem better (by the way i am a huge fan) by

Changed 8 years ago by rransom

Attachment: HyuaA.jpg added

screenshot

Changed 8 years ago by rransom

Attachment: p3UTj.jpg added

screenshot

Changed 8 years ago by zak

tor-browser-2.2.25-1-alpha

comment:6 Changed 8 years ago by zak

Hey guys i think i have found where the problem is, let me know if you are interested

comment:7 Changed 8 years ago by mikeperry

What do you think the problem is? If you're just wondering why we haven't replied, it is because the issues in your images actually represent several different bugs.

Additionally, a lot of the fields here are in dispute in terms of how useful it is to deal with them, and what the best way to do that is. We can't block all of them without having a serious impact on web functionality.. However, we are looking into solutions for window.name, fonts, and better options for screen resolution. See #2875, #2872, #3414.

comment:8 Changed 7 years ago by karsten

Keywords: tbb windows added
Milestone: Tor Browser Bundle for Windows

comment:9 Changed 7 years ago by mikeperry

Keywords: tbb windows removed
Resolution: user disappeared
Status: assignedclosed

I think this is covered by other bugs, unless zak reappears and tells us what he thinks the problem is.

Note: See TracTickets for help on using tickets.