[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #20025 [Applications/Tor Browser]: document.characterSet enables fingerprinting of localization (only with HSTS?)
#20025: document.characterSet enables fingerprinting of localization (only with
HSTS?)
--------------------------------------+--------------------------
Reporter: dcf | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by Thorin):
gk: can we change the keyword to `tbb-fingerprinting-locale` please? TIA
:)
---
I am only going on previous comments about which sites have HSTS and which
don't (and those commments are contradictory, I think, I need coffee - let
me know if I have it the wrong way round). Either way, there are four test
sites
- no leak: **thorin** - https://thorin-
oakenpants.github.io/testing/bug20025.html
- no leak: **bamfield** -
https://www.bamsoftware.com/people.eecs.berkeley.edu/~fifield/tor20025
/check-charset.html
- this leaks: **hsivonen** - https://hsivonen.com/test/moz/check-
charset.htm
- this leaks: **dcf** - https://people.torproject.org/~dcf/tor20025/check-
charset.html
The **thorin** test page links to and opens the other three in a new tab.
**Obligatory Pic**
- spreadsheet to follow
**Results**:
- all tests done in 9.0a6
- all 30 non en-US bundles tested were set to spoof
- excluding the `windows-1252` fallback, there are `12` buckets covering
`14` languages
- `ko` - not tested, waiting for #31886 , but reading above it would be
windows-1252 anyway
- `mk` - had to install the Macedonian language pack and set spoof etc,
see #31725
**Notes**
- Options>General>Languages>Fonts and Colors>Advanced>Text Encoding for
Legacy Content
- this sets the pref `intl.charset.fallback.override`
- it is this pref value that is being leaked
**Solution**
- Set `intl.charset.fallback.override` = `windows-1252` when
`privacy.spoof_english` = `2`, and reset it when `privacy.spoof_english`
!== `2`
- Do this upstream (not sure if #10703 also needs upstreaming)
- thinking out loud: If they're requesting pages as en-US, etc (spoof = 2)
.. then the breakage should be nothing more than a normal en-US bundle,
right? IDK, does the override pref affect chrome? Does this impact users
on non-English OSes?
Class, discuss! :) .. pic to follow
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20025#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs