[tor-talk] Referers being sent from hidden service websites

mirimir mirimir at riseup.net
Sat Aug 31 02:32:52 UTC 2013


On 08/31/2013 01:50 AM, Gordon Morehouse wrote:

> BM-2D8jTRi23DYth7WhMALDHSVhdFWP91ZcqA at bitmessage.ch:
>> I also opened a ticket:
>> https://trac.torproject.org/projects/tor/ticket/9623
> 
>> Currently, when browsing on a hidden service website, when you
>> click on a clearnet/hidden service link it sends the current
>> address as referer.
> 
>> This is not only an issue about users being tracked.
> 
>> It's also bad for owners of hidden services as the addresses are
>> getting discovered. Maybe the user was on a private website which
>> nobody should learn, or at least on a private webpage on a public
>> website.
> 
> Ouch. Yes, this definitely needs attention.
> 
>> My suggestion is to install 
>> https://addons.mozilla.org/en-us/firefox/addon/smart-referer/ I
>> believe it doesn't break anything major (it has a whitelist feature
>> which is very short and includes disqus.com and github.com) and
>> just adds another protection against tracking. This would be an
>> easy and general solution for both hidden and clearnet websites.
> 
> +1 for the quick and already-tested-elsewhere solution, if feasible.

That's a cool add-on.

I've used RefControl, by default forging referrers as root of sites
being visited. It doesn't break many sites.

Which is riskier, sending no referrer, or forging as RefControl does?

A quick search suggests that no referrer is worse than a forged one.

> Best,
> -Gordon M.
> 
> 



More information about the tor-talk mailing list