Language cloaking doesn't hide character set
Tor Button spoofs US English in the "Accept-Language" HTTP, if configured. This is helpful in increasing the size of the anonymity set. However, the "Accept-Charset" header is not spoofed, which leaks language information. For example, the Simplified Chinese version of the Tor Browser Bundle includes gb2312 in the accepted character sets, indicating Chinese. Is there any reason not to spoof this header too?
[Automatically added by flyspray2trac: Operating System: All]
Activity
changed milestone to %TorBrowserBundle 2.3.x-stable
Looks like there might be more to this bug:
[lark] intl.accept_charsets "Currently unused" http://kb.mozillazine.org/Firefox_:FAQs:_About:config_Entries I tried tests localized FF with torbutton and it leaks localized charsets with "spoof_english" turned on anyway. [lark] could anybody confirm it? [lark] it's #628 (closed), sadly it's closed as mistaken.
See also bug #1089 (closed).
Trac:
Keywords: N/A deleted, N/A added
Description: Tor Button spoofs US English in the "Accept-Language" HTTP, if configured. This is helpful in increasing the size of the anonymity set. However, the "Accept-Charset" header is not spoofed, which leaks language information. For example, the Simplified Chinese version of the Tor Browser Bundle includes gb2312 in the accepted character sets, indicating Chinese. Is there any reason not to spoof this header too?[Automatically added by flyspray2trac: Operating System: All]
to
Tor Button spoofs US English in the "Accept-Language" HTTP, if configured. This is helpful in increasing the size of the anonymity set. However, the "Accept-Charset" header is not spoofed, which leaks language information. For example, the Simplified Chinese version of the Tor Browser Bundle includes gb2312 in the accepted character sets, indicating Chinese. Is there any reason not to spoof this header too?
[Automatically added by flyspray2trac: Operating System: All]
Priority: minor to major
Milestone: N/A to N/A
Trac:
Cc: sjmurdoch,Sebastian to sjmurdoch, Sebastian, g.koppen@jondos.deIt seems that Accept-Charset was disabled in Firefox 10 (and IE 8, and Safari 5, and Opera 11).
https://developer.mozilla.org/en-US/docs/HTTP/Content_negotiation#The_Accept-Charset.3A_header:
Considering that:
- UTF-8 is now well-supported by all relevant user-agents,
- the presence of the header increases the configuration-based entropy exposed,
- the presence of the header increases the data transmitted for each request
- almost no sites are using the value of this header for choosing content during the negotiation, browsers started to stop sending this header in each request, starting with Internet Explorer 8, Safari 5, Opera 11 and Firefox 10. In the absence of Accept-Charset:, servers can simply assume that UTF-8 and the most common characters sets are understood by the client.
Mozilla bug 572652, "Remove the Accept-Charset header from HTTP requests," is VERIFIED FIXED.
The intl.accept_charsets pref is "currently unused."
http://wtfismyip.com/headers shows no Accept-Charset.
It appears to me that this bug is obsolete.
-
Ok. I'm assuming you think we should file each additional way that the character set can be inferred as a separate bug, rather than adding them to this one? That sounds fine to me. Marking this specific ticket as "not a bug" since the header disappeared without us having to do anything. Hurray for inertia (or rather, an endless supply of other issues to deal with).
Trac:
Status: needs_review to closed
Resolution: None to not a bug mentioned in issue #1089 (closed)
mentioned in issue #2365 (closed)