[tor-bugs] #10703 [TorBrowserButton]: Fallback charset enables fingerprinting of bundle localization

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 12 09:12:31 UTC 2014


#10703: Fallback charset enables fingerprinting of bundle localization
-------------------------+-------------------------------------------------
     Reporter:  dcf      |      Owner:  mikeperry
         Type:  defect   |     Status:  needs_review
     Priority:  normal   |  Milestone:
    Component:           |    Version:
  TorBrowserButton       |   Keywords:  tbb-fingerprinting, tbb-pref,
   Resolution:           |  MikePerry201402R
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by dcf):

 Replying to [comment:10 mikeperry]:
 > dcf1: Apparently post FF28, the new pref is
 "intl.charset.fallback.override". Can you check real quick if that still
 works for your tests, and either update
 https://bugzilla.mozilla.org/show_bug.cgi?id=967981, or ping back here?
 >
 > Just trying to save us a little panic around FF31esr if we merge this.

 It looks like intl.charset.fallback.override is the right preference, but
 it [http://dxr.mozilla.org/mozilla-
 central/source/dom/encoding/FallbackEncoding.cpp#51 doesn't work to set it
 to utf-8] (it only works to set it to something else like iso-8859-1).
 More below.

 I tried the ru Firefox 18 beta:
 http://download-
 installer.cdn.mozilla.net/pub/firefox/releases/28.0b1/SHA512SUMS
 http://download-
 installer.cdn.mozilla.net/pub/firefox/releases/28.0b1/SHA512SUMS.asc
 http://download-installer.cdn.mozilla.net/pub/firefox/releases/28.0b1
 /linux-x86_64/ru/firefox-28.0b1.tar.bz2

 Before changing anything, the detector finds the fallback as windows-1251,
 as expected for Russian.

 [[Image(firefox-28.0b1-virgin.png)]]

 I set intl.charset.fallback.override=utf-8:

 [[Image(firefox-28.0b1-intl.charset.fallback.override=utf-8.png)]]

 There was no change in the detection:

 [[Image(firefox-28.0b1-utf-8.png)]]

 I set intl.charset.fallback.override=iso-8859-1:

 [[Image(firefox-28.0b1-intl.charset.fallback.override=iso-8859-1.png)]]

 It caused the fallback to change to iso-8859-1. The same with iso-8859-2
 and others.

 [[Image(firefox-28.0b1-iso-8859-1.png)]]

 I found some source code that says that utf-8 is specifically blacklisted
 from being set for this preference. That makes me think we should go with
 iso-8859-1 (or windows-1252 [https://developer.mozilla.org/en-
 US/docs/Localizations_and_character_encodings#Specifying_the_fallback_encoding
 as recommended]) for 24ESR. (Note windows-125'''1''' is Russian and
 windows-125'''2''' is English/European.)

 http://dxr.mozilla.org/mozilla-
 central/source/dom/encoding/FallbackEncoding.cpp#51

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10703#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list