[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Referers being sent from hidden service websites

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Referers being sent from hidden service websites
From: mirimir <mirimir@xxxxxxxxxx>
Date: Sat, 31 Aug 2013 02:32:52 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 30 Aug 2013 22:41:48 -0400
In-reply-to: <52214BCB.9020905@xxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <e15d1ec2b0514afcc19ca84a9cc3ea45.squirrel@xxxxxxxxxxxxxxxxxxxxxx> <52214BCB.9020905@xxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8

On 08/31/2013 01:50 AM, Gordon Morehouse wrote:

> BM-2D8jTRi23DYth7WhMALDHSVhdFWP91ZcqA@xxxxxxxxxxxxx:
>> I also opened a ticket:
>> https://trac.torproject.org/projects/tor/ticket/9623
> 
>> Currently, when browsing on a hidden service website, when you
>> click on a clearnet/hidden service link it sends the current
>> address as referer.
> 
>> This is not only an issue about users being tracked.
> 
>> It's also bad for owners of hidden services as the addresses are
>> getting discovered. Maybe the user was on a private website which
>> nobody should learn, or at least on a private webpage on a public
>> website.
> 
> Ouch. Yes, this definitely needs attention.
> 
>> My suggestion is to install 
>> https://addons.mozilla.org/en-us/firefox/addon/smart-referer/ I
>> believe it doesn't break anything major (it has a whitelist feature
>> which is very short and includes disqus.com and github.com) and
>> just adds another protection against tracking. This would be an
>> easy and general solution for both hidden and clearnet websites.
> 
> +1 for the quick and already-tested-elsewhere solution, if feasible.

That's a cool add-on.

I've used RefControl, by default forging referrers as root of sites
being visited. It doesn't break many sites.

Which is riskier, sending no referrer, or forging as RefControl does?

A quick search suggests that no referrer is worse than a forged one.

> Best,
> -Gordon M.
> 
> 

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Referers being sent from hidden service websites
  - From: BM-2D8jTRi23DYth7WhMALDHSVhdFWP91ZcqA

References:
- [tor-talk] Referers being sent from hidden service websites
  - From: BM-2D8jTRi23DYth7WhMALDHSVhdFWP91ZcqA
- Re: [tor-talk] Referers being sent from hidden service websites
  - From: Gordon Morehouse

Prev by Author: Re: [tor-talk] security tradeoffs - was Tor and Financial Transparency
Next by Author: Re: [tor-talk] Referers being sent from hidden service websites
Previous by thread: Re: [tor-talk] Referers being sent from hidden service websites
Next by thread: Re: [tor-talk] Referers being sent from hidden service websites
Index(es):
- Author
- Thread