[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Passing language code to check.torproject.org

To: or-dev@xxxxxxxxxxxxx
Subject: Re: Passing language code to check.torproject.org
From: Jacob Appelbaum <jacob@xxxxxxxxxxxxx>
Date: Sun, 16 Mar 2008 23:42:14 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Mon, 17 Mar 2008 02:13:19 -0400
In-reply-to: <20080316004509.GY5616@xxxxxxxxxxxxxxxxx>
References: <20080314115420.GI5616@xxxxxxxxxxxxxxxxx> <47DB2C7F.7030901@xxxxxxxxxxxxx> <20080316004509.GY5616@xxxxxxxxxxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx
User-agent: Icedove 1.5.0.14pre (X11/20080208)

Steven J. Murdoch wrote:
> On Fri, Mar 14, 2008 at 06:55:11PM -0700, Jacob Appelbaum wrote:
>> Yes. I agree. It's quite useful to mask that. In the event of the user
>> not having Torbutton enabled - Am I right to assume that they would
>> probably leak their language choice? I think it will but I'm an English
>> speaker and I haven't tested it.
> 
> Yes, Firefox will by default state its preferences for language and
> character set. Torbutton hides these when enabled.

Ok, that's what I thought.

> 
>> How do you feel about using https for this? Phobos bought us a cert that
>> should be good for the rest of the year. Ideally, if we use SSL, we're
>> going to have even less of an issue leaking possible linkable language
>> information to exit nodes.
> 
> That sounds like a good idea. I've applied the change.

Great.

> 
>> We probably also want to ensure that any link on check.tpo doesn't leak
>> a referring url that includes their language choice.
> 
> Right. This needs more investigation, but one option is to set a
> cookie with the language setting, and then redirect to a different
> page. Then the referring URL will not include the language choice. We
> would set a cookie, but that would only contain the language, not a
> user ID, and could be set with a very short expiry time.
> 

That seems reasonable. What about people who have disabled cookies?

I had considered just opening a link in a new window. We don't have very
many links and I believe that covers the risk of the referrer?

>> I think this is good providing a switch to https://check.torproject.org
> 
> OK, it's applied and I'll test it before the next release.
> 

Sounds good.

Regards,
Jacob Appelbaum

References:
- Passing language code to check.torproject.org
  - From: Steven J. Murdoch
- Re: Passing language code to check.torproject.org
  - From: Jacob Appelbaum
- Re: Passing language code to check.torproject.org
  - From: Steven J. Murdoch

Prev by Author: Re: Passing language code to check.torproject.org
Next by Author: Re: A Tor Web Service For Verifying Correct Browser Configuration
Previous by thread: Re: Passing language code to check.torproject.org
Next by thread: A Tor Web Service For Verifying Correct Browser Configuration
Index(es):
- Author
- Thread