Passing language code to check.torproject.org

Steven J. Murdoch tor+Steven.Murdoch at cl.cam.ac.uk
Sun Mar 16 00:45:10 UTC 2008


On Fri, Mar 14, 2008 at 06:55:11PM -0700, Jacob Appelbaum wrote:
> Yes. I agree. It's quite useful to mask that. In the event of the user
> not having Torbutton enabled - Am I right to assume that they would
> probably leak their language choice? I think it will but I'm an English
> speaker and I haven't tested it.

Yes, Firefox will by default state its preferences for language and
character set. Torbutton hides these when enabled.

> How do you feel about using https for this? Phobos bought us a cert that
> should be good for the rest of the year. Ideally, if we use SSL, we're
> going to have even less of an issue leaking possible linkable language
> information to exit nodes.

That sounds like a good idea. I've applied the change.

> We probably also want to ensure that any link on check.tpo doesn't leak
> a referring url that includes their language choice.

Right. This needs more investigation, but one option is to set a
cookie with the language setting, and then redirect to a different
page. Then the referring URL will not include the language choice. We
would set a cookie, but that would only contain the language, not a
user ID, and could be set with a very short expiry time.

> I think this is good providing a switch to https://check.torproject.org

OK, it's applied and I'll test it before the next release.

Steven.

-- 
w: http://www.cl.cam.ac.uk/users/sjm217/



More information about the tor-dev mailing list