[tor-bugs] #20025 [Applications/Tor Browser]: document.characterSet enables fingerprinting of localization (only with HSTS?)

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Sep 29 15:13:31 UTC 2019 

#20025: document.characterSet enables fingerprinting of localization (only with
HSTS?)
--------------------------------------+--------------------------
 Reporter:  dcf                       |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-fingerprinting        |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by Thorin):

 gk: can we change the keyword to `tbb-fingerprinting-locale` please? TIA
 :)

 ---

 I am only going on previous comments about which sites have HSTS and which
 don't (and those commments are contradictory, I think, I need coffee - let
 me know if I have it the wrong way round). Either way, there are four test
 sites
 - no leak: **thorin** - https://thorin-
 oakenpants.github.io/testing/bug20025.html
 - no leak: **bamfield** -
 https://www.bamsoftware.com/people.eecs.berkeley.edu/~fifield/tor20025
 /check-charset.html
 - this leaks: **hsivonen** - https://hsivonen.com/test/moz/check-
 charset.htm
 - this leaks: **dcf** - https://people.torproject.org/~dcf/tor20025/check-
 charset.html

 The **thorin** test page links to and opens the other three in a new tab.

 **Obligatory Pic**
 - spreadsheet to follow

 **Results**:
 - all tests done in 9.0a6
 - all 30 non en-US bundles tested were set to spoof
 - excluding the `windows-1252` fallback, there are `12` buckets covering
 `14` languages
 - `ko` - not tested, waiting for #31886 , but reading above it would be
 windows-1252 anyway
 - `mk` - had to install the Macedonian language pack and set spoof etc,
 see #31725

 **Notes**
 - Options>General>Languages>Fonts and Colors>Advanced>Text Encoding for
 Legacy Content
 - this sets the pref `intl.charset.fallback.override`
 - it is this pref value that is being leaked

 **Solution**
 - Set `intl.charset.fallback.override` = `windows-1252` when
 `privacy.spoof_english` = `2`, and reset it when `privacy.spoof_english`
 !== `2`
 - Do this upstream (not sure if #10703 also needs upstreaming)
 - thinking out loud: If they're requesting pages as en-US, etc (spoof = 2)
 .. then the breakage should be nothing more than a normal en-US bundle,
 right? IDK, does the override pref affect chrome? Does this impact users
 on non-English OSes?

 Class, discuss! :) .. pic to follow

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20025#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list