[tor-bugs] #14351 [Tor Browser]: HTTP accept-language header fingerprinting detail
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jan 25 07:17:10 UTC 2015
#14351: HTTP accept-language header fingerprinting detail
----------------------------+--------------------------
Reporter: Leto | Owner: tbb-team
Type: defect | Status: new
Priority: minor | Milestone:
Component: Tor Browser | Version:
Keywords: fingerprinting | Actual Points:
Parent ID: | Points:
----------------------------+--------------------------
The English version of the Tor Browser's accept-language header is "en-
us,en;q=0.5". According to the EFF's Panopticlick, the more common
representation of this is "en-US,en;q=0.5", with the country code
capitalized (4.7 bits of identifying information for en-US compared to
5.01 for en-us). The spec for language codes also capitalizes the country
code, see https://tools.ietf.org/html/rfc5646 and
http://www.w3.org/International/articles/language-tags/. The Tor Browser
has it as "en-us" in 4.0.3 and 4.5a3.
Future versions of the Tor Browser might want to capitalize these country
codes. I noticed this while playing around with making regular Firefox
proxy through Tor, and seeing what it takes to fool
https://check.torproject.org to think I am using the Tor Browser. It only
checks the user-agent apparently, but https://panopticlick.eff.org was
still able to distinguish FirefoxESR (with a user-agent override) from the
Tor Browser based on this en-US/en-us difference.
Taken together with the user-agent, Panopticlick reports that the total
fingerprint data is less identifying with "en-us", but this must be
because all instances of the Tor Browser already have it that way.
Changing it to "en-US" in the future will bring it more in line with the
specs and what other browsers practice.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14351>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list