[tor-onions] HTTP GZIP Compression remote date and time leak
Jose Carlos Norte
jcarlos.norte at gmail.com
Sun Feb 21 22:52:59 UTC 2016
The gzip compression format used by HTTP if accepted by both server and
client, under certain configurations, provides the date of the server that
compressed the HTTP Response. This information can be used by a third party
to know the time zone where the onion site is hosted.
I have written a more in depth explanation about the topic at:
http://jcarlosnorte.com/security/2016/02/21/date-leak-gzip-tor.html
A proof of concept is included, to check if your service is leaking this
information through the gzip headers of a compressed HTTP Response.
I have decided to share this because is not an obvious miss-configuration
that could lead to the leak of information about the physical position of
your hidden service. Be careful.
Of course, just knowing the timezone of your hidden service server is not
enough to know your identity, or your exact server location, but combined
with another leaks or other pieces of information, could be dangerous.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-onions/attachments/20160221/bdf5bb8f/attachment.html>
More information about the tor-onions
mailing list