[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Referers being sent from hidden service websites



On 08/31/2013 03:04 AM,
BM-2D8jTRi23DYth7WhMALDHSVhdFWP91ZcqA@xxxxxxxxxxxxx wrote:

>>>> My suggestion is to install
>>>> https://addons.mozilla.org/en-us/firefox/addon/smart-referer/ I
>>>> believe it doesn't break anything major (it has a whitelist feature
>>>> which is very short and includes disqus.com and github.com) and
>>>> just adds another protection against tracking. This would be an
>>>> easy and general solution for both hidden and clearnet websites.
>>>
>>> +1 for the quick and already-tested-elsewhere solution, if feasible.
>>
>> That's a cool add-on.
>>
>> I've used RefControl, by default forging referrers as root of sites
>> being visited. It doesn't break many sites.
>>
>> Which is riskier, sending no referrer, or forging as RefControl does?
>>
>> A quick search suggests that no referrer is worse than a forged one.
> 
> Yes, it's better to forge the referer, smart referer does that by default.

Well, the short description is "Send referers [sic] only when staying on
the same domain." But I see at https://github.com/meh/smart-referer that
Smart Referer defaults to "self [which] replaces the referer with the
page you're going to thus making the server think you're either
refreshing or going to the page from a link on the same page."

Which sort of forging is better, same page or site root?

> What do you people think about the idea to implement smart referer as
> default for hidden services, but integrate the option to use it for all
> websites (including clearnet) in the proposed security slider.
> 
> https://trac.torproject.org/projects/tor/ticket/9623#comment:5
> https://trac.torproject.org/projects/tor/ticket/9387#comment:15

I like the idea -- or RefControl, depending on which type of forging
causes the least problems.

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk