[tbb-bugs] #14351 [Tor Browser]: HTTP accept-language header fingerprinting detail

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jan 25 07:17:10 UTC 2015

#14351: HTTP accept-language header fingerprinting detail
 Reporter:  Leto            |          Owner:  tbb-team
     Type:  defect          |         Status:  new
 Priority:  minor           |      Milestone:
Component:  Tor Browser     |        Version:
 Keywords:  fingerprinting  |  Actual Points:
Parent ID:                  |         Points:
 The English version of the Tor Browser's accept-language header is "en-
 us,en;q=0.5". According to the EFF's Panopticlick, the more common
 representation of this is "en-US,en;q=0.5", with the country code
 capitalized (4.7 bits of identifying information for en-US compared to
 5.01 for en-us). The spec for language codes also capitalizes the country
 code, see https://tools.ietf.org/html/rfc5646 and
 http://www.w3.org/International/articles/language-tags/. The Tor Browser
 has it as "en-us" in 4.0.3 and 4.5a3.

 Future versions of the Tor Browser might want to capitalize these country
 codes. I noticed this while playing around with making regular Firefox
 proxy through Tor, and seeing what it takes to fool
 https://check.torproject.org to think I am using the Tor Browser. It only
 checks the user-agent apparently, but https://panopticlick.eff.org was
 still able to distinguish FirefoxESR (with a user-agent override) from the
 Tor Browser based on this en-US/en-us difference.

 Taken together with the user-agent, Panopticlick reports that the total
 fingerprint data is less identifying with "en-us", but this must be
 because all instances of the Tor Browser already have it that way.
 Changing it to "en-US" in the future will bring it more in line with the
 specs and what other browsers practice.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14351>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list