Passing language code to check.torproject.org

Jacob Appelbaum jacob at appelbaum.net
Mon Mar 17 03:42:14 UTC 2008


Steven J. Murdoch wrote:
> On Fri, Mar 14, 2008 at 06:55:11PM -0700, Jacob Appelbaum wrote:
>> Yes. I agree. It's quite useful to mask that. In the event of the user
>> not having Torbutton enabled - Am I right to assume that they would
>> probably leak their language choice? I think it will but I'm an English
>> speaker and I haven't tested it.
> 
> Yes, Firefox will by default state its preferences for language and
> character set. Torbutton hides these when enabled.

Ok, that's what I thought.

> 
>> How do you feel about using https for this? Phobos bought us a cert that
>> should be good for the rest of the year. Ideally, if we use SSL, we're
>> going to have even less of an issue leaking possible linkable language
>> information to exit nodes.
> 
> That sounds like a good idea. I've applied the change.

Great.

> 
>> We probably also want to ensure that any link on check.tpo doesn't leak
>> a referring url that includes their language choice.
> 
> Right. This needs more investigation, but one option is to set a
> cookie with the language setting, and then redirect to a different
> page. Then the referring URL will not include the language choice. We
> would set a cookie, but that would only contain the language, not a
> user ID, and could be set with a very short expiry time.
> 

That seems reasonable. What about people who have disabled cookies?

I had considered just opening a link in a new window. We don't have very
many links and I believe that covers the risk of the referrer?

>> I think this is good providing a switch to https://check.torproject.org
> 
> OK, it's applied and I'll test it before the next release.
> 

Sounds good.

Regards,
Jacob Appelbaum



More information about the tor-dev mailing list