Language cloaking doesn't hide character set
Tor Button spoofs US English in the "Accept-Language" HTTP, if configured. This is helpful in increasing the size of the anonymity set. However, the "Accept-Charset" header is not spoofed, which leaks language information. For example, the Simplified Chinese version of the Tor Browser Bundle includes gb2312 in the accepted character sets, indicating Chinese. Is there any reason not to spoof this header too?
[Automatically added by flyspray2trac: Operating System: All]