[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #20025 [Applications/Tor Browser]: document.characterSet enables fingerprinting of localization (only with HSTS?)

#20025: document.characterSet enables fingerprinting of localization (only with
HSTS?)
---------------------------------------+--------------------------
 Reporter:  dcf                        |          Owner:  tbb-team
     Type:  defect                     |         Status:  new
 Priority:  Medium                     |      Milestone:
Component:  Applications/Tor Browser   |        Version:
 Severity:  Normal                     |     Resolution:
 Keywords:  tbb-fingerprinting-locale  |  Actual Points:
Parent ID:                             |         Points:
 Reviewer:                             |        Sponsor:
---------------------------------------+--------------------------
Changes (by dcf):

 * keywords:  tbb-fingerprinting, tbb-fingerprinting-locale => tbb-
     fingerprinting-locale


Comment:

 Replying to [comment:5 Thorin]:
 > I am only going on previous comments about which sites have HSTS and
 which don't

 You can forget about HSTS. That conjecture was wrong. bamsoftware.com has
 HSTS and it doesn't show the leak. The reason the previous results seem
 contradictory is that the page that in 2016 was at
 !https://people.eecs.berkeley.edu/ (no HSTS) now redirects to a different
 server, !https://www.bamsoftware.com/ (HSTS).

 If the cause of the difference is not HSTS, what is it? My new guess is
 that it must have to do with the `Content-Type` header and whether it
 specifies an encoding or not.

 || ||= leaks =||=`Content-Type` =||
 ||= thorin-oakenpants.github.io=|| no||`text/html; charset=utf-8`  ||
 ||= www.bamsoftware.com=|| no||`text/html; charset=UTF-8`  ||
 ||= hsivonen.com=|| yes||`text/html` ||
 ||= people.torproject.org=|| yes||`text/html` ||

 You can check the `Content-Type` header yourself using the `curl` command.
 {{{#!html
 <pre style="font-size: 80%;">
 $ <strong>curl --head https://thorin-
 oakenpants.github.io/testing/bug20025.html</strong>
 HTTP/2 200
 server: GitHub.com
 <span style="background: gold;">content-type: text/html;
 charset=utf-8</span>
 last-modified: Sun, 29 Sep 2019 15:29:53 GMT
 etag: "5d90cdf1-7ec"
 access-control-allow-origin: *
 expires: Sun, 29 Sep 2019 16:52:42 GMT
 cache-control: max-age=600
 x-proxy-cache: MISS
 x-github-request-id: XXX
 accept-ranges: bytes
 date: Sun, 29 Sep 2019 16:42:42 GMT
 via: 1.1 varnish
 age: 0
 x-served-by: XXX
 x-cache: MISS
 x-cache-hits: 0
 x-timer: S1569775362.340251,VS0,VE329
 vary: Accept-Encoding
 x-fastly-request-id: XXX
 content-length: 2028

 $ <strong>curl --head
 https://www.bamsoftware.com/people.eecs.berkeley.edu/~fifield/tor20025
 /check-charset.html</strong>
 HTTP/1.1 200 OK
 Date: Sun, 29 Sep 2019 16:41:16 GMT
 Server: Apache/2.4.25 (Debian)
 Vary: User-Agent,Referer,Accept-Encoding
 Last-Modified: Thu, 01 Feb 2018 20:06:42 GMT
 ETag: "5d2-5642c2265f880"
 Accept-Ranges: bytes
 Content-Length: 1490
 Strict-Transport-Security: max-age=15768000
 <span style="background: gold;">Content-Type: text/html;
 charset=UTF-8</span>

 $ <strong>curl --head https://hsivonen.com/test/moz/check-
 charset.htm</strong>
 HTTP/2 200
 server: nginx/1.17.4
 date: Sun, 29 Sep 2019 16:42:22 GMT
 <span style="background: gold;">content-type: text/html</span>
 content-length: 353
 last-modified: Mon, 25 Feb 2013 11:31:59 GMT
 etag: "3998-161-4d68ae39709c0"
 accept-ranges: bytes
 vary: Accept-Encoding
 strict-transport-security: max-age=31536000; includeSubDomains; preload

 $ <strong>curl --head https://people.torproject.org/~dcf/tor20025/check-
 charset.html</strong>
 HTTP/1.1 200 OK
 Date: Sun, 29 Sep 2019 16:41:08 GMT
 Server: Apache
 X-Content-Type-Options: nosniff
 X-Frame-Options: sameorigin
 X-Xss-Protection: 1
 Referrer-Policy: no-referrer
 Strict-Transport-Security: max-age=15768000; preload
 Public-Key-Pins: pin-
 sha256="EfzQ7Gg2LG2mQyjStHmfD4yVzzi/30yyRnAKquPlPMQ="; pin-
 sha256="Tnmd19BxbL/grn2RdYAAyck34e1KeIq9n5CK6ZZVP1w="; max-age=5184000
 Last-Modified: Tue, 30 Aug 2016 05:30:00 GMT
 ETag: "5d2-53b4345990616"
 Accept-Ranges: bytes
 Content-Length: 1490
 Vary: Accept-Encoding
 <span style="background: gold;">Content-Type: text/html</span>
 </pre>
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20025#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs