[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #20025 [Applications/Tor Browser]: document.characterSet enables fingerprinting of localization (only with HSTS?)
#20025: document.characterSet enables fingerprinting of localization (only with
HSTS?)
--------------------------------------+--------------------------
Reporter: dcf | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by dcf):
I set up a demo page on two servers, one with HSTS and one without. Only
the one with HSTS shows a difference in document.characterSet. Note that
neither of the servers specifies the encoding in the `Content-Type`
header, so you get a warning in the browser console and the browser has to
infer the encoding.
The technique from #10703 always finds `iso-8859-1`. (I think that
technique has trouble distinguishing `iso-8859-1` and `windows-1252`.)
== with HSTS ==
HSTS demo page: https://people.torproject.org/~dcf/tor20025/check-
charset.html
document.characterSet is `windows-1252` for the en-US bundle and `EUC-KR`
for the ko bundle.
|| en-US || ko ||
|| [[Image(en-us-with-hsts.png)]] || [[Image(ko-with-hsts.png)]] ||
== without HSTS ==
non-HSTS demo page: https://people.eecs.berkeley.edu/~fifield/tor20025
/check-charset.html
document.characterSet is `windows-1252` for both the en-US and ko bundles.
|| en-US || ko ||
|| [[Image(en-us-without-hsts.png)]] || [[Image(ko-without-hsts.png)]] ||
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20025#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs