TorButton and information disclosure on last OR
Mansur Marvanov
nanorobocop at gmail.com
Sun Jan 31 15:46:42 UTC 2010
Hello!
I have a Client machine with TorButton (Tor client + Firefox + Privoxy
+ TorButton) and a Server machine with Apache.
But when I'm trying to connect from Client to Server through TOR
network I see that there's my information on HTTP-headers on Server
side that last OR gives to my Apache.
So, AFAIU last OR has all information about me? Isn't it disclosure of
information?
I think that it would be better if TorButton changes or deletes
HTTP-headers that could disclose me.
For example, at least TorButton could hide my Host header, by it
doesn't.. Is it a bug or what?
GET / HTTP/1.1
Host: ***MY***REAL***IP***
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
If-Modified-Since: Sat, 26 Sep 2009 15:50:51 GMT
If-None-Match: "883d5-2d-4747d076a8cc0"-gzip
Cache-Control: max-age=0
Connection: close
HTTP/1.1 200 OK
Date: Sun, 31 Jan 2010 14:08:29 GMT
Server: Apache/2.2.9 (Ubuntu)
Last-Modified: Sat, 26 Sep 2009 15:50:51 GMT
ETag: "883d5-2d-4747d076a8cc0"-gzip
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 56
Connection: close
Content-Type: text/html
............(....I.O....0..,Q(./..V....l.!..`U\.QU.f-...
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list