[tor-talk] Referers being sent from hidden service websites
BM-2D8jTRi23DYth7WhMALDHSVhdFWP91ZcqA at bitmessage.ch
BM-2D8jTRi23DYth7WhMALDHSVhdFWP91ZcqA at bitmessage.ch
Thu Aug 29 18:25:56 UTC 2013
I also opened a ticket: https://trac.torproject.org/projects/tor/ticket/9623
Currently, when browsing on a hidden service website, when you click on a
clearnet/hidden service link it sends the current address as referer.
This is not only an issue about users being tracked.
It's also bad for owners of hidden services as the addresses are getting
discovered. Maybe the user was on a private website which nobody should
learn, or at least on a private webpage on a public website.
Or maybe the referer could include login credentials, or other dangerous
information.
The current behavior doesn't really fit well with the "hidden service" idea.
My suggestion is to install
https://addons.mozilla.org/en-us/firefox/addon/smart-referer/ I believe it
doesn't break anything major (it has a whitelist feature which is very
short and includes disqus.com and github.com) and just adds another
protection against tracking. This would be an easy and general solution
for both hidden and clearnet websites.
More information about the tor-talk
mailing list