Opened 11 years ago

Closed 5 years ago

#628 closed defect (not a bug)

Language cloaking doesn't hide character set

Reported by: sjmurdoch Owned by:
Priority: High Milestone: TorBrowserBundle 2.3.x-stable
Component: TorBrowserButton Version:
Severity: Keywords: tbb-fingerprinting, interview
Cc: sjmurdoch, Sebastian, g.koppen@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mikeperry)

Tor Button spoofs US English in the "Accept-Language" HTTP, if configured. This is helpful in increasing
the size of the anonymity set. However, the "Accept-Charset" header is not spoofed, which leaks language
information. For example, the Simplified Chinese version of the Tor Browser Bundle includes gb2312 in the
accepted character sets, indicating Chinese. Is there any reason not to spoof this header too?

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (13)

comment:1 Changed 10 years ago by Sebastian

Looks like there might be more to this bug:

[lark] intl.accept_charsets "Currently unused"
I tried tests localized FF with torbutton and it leaks localized charsets with "spoof_english" turned on anyway.
[lark] could anybody confirm it?
[lark] it's #628, sadly it's closed as mistaken.

comment:2 Changed 9 years ago by mikeperry

Description: modified (diff)
Priority: minormajor

See also bug #1089.

comment:3 Changed 8 years ago by mikeperry

Component: TorbuttonTorBrowserButton

comment:4 Changed 7 years ago by Sebastian

Mike, any update?

comment:5 Changed 7 years ago by mikeperry

Milestone: TorBrowserBundle 2.3.x-stable
Version: 1.1

comment:6 Changed 7 years ago by mikeperry

Keywords: tbb-fingerprinting added

comment:7 Changed 7 years ago by mikeperry

Keywords: MikePerry201206 added

comment:8 Changed 7 years ago by mikeperry

Keywords: MikePerry201206 removed

comment:9 Changed 6 years ago by mikeperry

Keywords: interview added

comment:10 Changed 6 years ago by gk

Cc: g.koppen@… added

comment:11 Changed 5 years ago by dcf

It seems that Accept-Charset was disabled in Firefox 10 (and IE 8, and Safari 5, and Opera 11).

Considering that:

  • UTF-8 is now well-supported by all relevant user-agents,
  • the presence of the header increases the configuration-based entropy exposed,
  • the presence of the header increases the data transmitted for each request
  • almost no sites are using the value of this header for choosing content during the negotiation,

browsers started to stop sending this header in each request, starting with Internet Explorer 8, Safari 5, Opera 11 and Firefox 10. In the absence of Accept-Charset:, servers can simply assume that UTF-8 and the most common characters sets are understood by the client.

Mozilla bug 572652, "Remove the Accept-Charset header from HTTP requests," is VERIFIED FIXED.

The intl.accept_charsets pref is "currently unused." shows no Accept-Charset.

It appears to me that this bug is obsolete.

Last edited 5 years ago by dcf (previous) (diff)

comment:12 Changed 5 years ago by dcf

Status: newneeds_review

comment:13 Changed 5 years ago by mikeperry

Resolution: Nonenot a bug
Status: needs_reviewclosed

Ok. I'm assuming you think we should file each additional way that the character set can be inferred as a separate bug, rather than adding them to this one? That sounds fine to me. Marking this specific ticket as "not a bug" since the header disappeared without us having to do anything. Hurray for inertia (or rather, an endless supply of other issues to deal with).

Note: See TracTickets for help on using tickets.