Threats to anonymity set at and above the application layer; HTTP headers

Fabian Keil freebsd-listen at
Sun May 21 13:59:27 UTC 2006

"Ringo Kamens" <2600denver at> top posted:

> On 5/20/06, Fabian Keil <freebsd-listen at> wrote:
> > Kai Raven <kairaven at> wrote:
> >
> > > On 20.05.2006/09:13, you wrote:
> > >
> > > > I think a low-hanging target is the uniqueness of HTTP headers sent
> > > > by particular users of HTTP and HTTPS over Tor.  Accept-Language,
> > > > User-Agent, and a few browser-specific features are likely to reveal
> > > >  locale and OS and browser version -- sometimes relatively uniquely,
> > > >  as when someone uses a Linux distribution that ships with a highly
> > > > specific build of Firefox -- and this combination may serve to make
> > > > people linkable or distinguishable in particular contexts.
> > >
> > > For this reasons i have changed the Accept-Language and User-Agent
> > > header, but only for the locale.
> >
> > I use a generated Firefox User-Agent string which is rebuild
> > every few minutes by <>.
> >
> > While I don't blend in with the Windows using crowd, the User-Agent
> > is different for each website visit and therefore can't be used to
> > track my visits.
> >
> > The website owner might notice that I don't surf
> > with a windows box, that I use Tor and probably Privoxy,
> > block cookies and don't execute his code, but I can live
> > with that and it's not enough information for a unique
> > fingerprint.

> I have a few points to add. For one, if you choose a user-agent that
> is a linux build every time you start firefox (as opposed to having it
> default) then that could be used as court evidence to say:
> Well, I couldn't be xxx because he used a linux browser and I'm
> obviously on windows and my user-agent field isn't spoofed.

I seriously doubt that any judge will fall for that one.
> As far as referrers goes, you can either use referrer blocking or
> spoofing (Always make the referrer the root of the site) and blend in
> with the crowd well.

Blocking all referrers or to rewrite them all to
the root web site is the easiest way _not_ to blend in
with the crowd. The referrer will be invalid most
of the time!

It's also not necessary: if you haven't changed
the host, your referrer doesn't give away any information
the web site owner couldn't gain by checking the server log.

It is sufficient to only block the referrer if the host has
changed. Not only that, it is also harder to detect, a web site
change looks as if the user followed a bookmark or typed/pasted
in the address herself; the following requests are all valid. 

Conditional blocking can only be detected if the web site is spread
over several hosts, but that's the only case where it isn't superior
to root site faking or generic blocking (which both would be detected
as well).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <>

More information about the tor-talk mailing list