[tor-talk] Referers being sent from hidden service websites
mirimir
mirimir at riseup.net
Sat Aug 31 02:32:52 UTC 2013
On 08/31/2013 01:50 AM, Gordon Morehouse wrote:
> BM-2D8jTRi23DYth7WhMALDHSVhdFWP91ZcqA at bitmessage.ch:
>> I also opened a ticket:
>> https://trac.torproject.org/projects/tor/ticket/9623
>
>> Currently, when browsing on a hidden service website, when you
>> click on a clearnet/hidden service link it sends the current
>> address as referer.
>
>> This is not only an issue about users being tracked.
>
>> It's also bad for owners of hidden services as the addresses are
>> getting discovered. Maybe the user was on a private website which
>> nobody should learn, or at least on a private webpage on a public
>> website.
>
> Ouch. Yes, this definitely needs attention.
>
>> My suggestion is to install
>> https://addons.mozilla.org/en-us/firefox/addon/smart-referer/ I
>> believe it doesn't break anything major (it has a whitelist feature
>> which is very short and includes disqus.com and github.com) and
>> just adds another protection against tracking. This would be an
>> easy and general solution for both hidden and clearnet websites.
>
> +1 for the quick and already-tested-elsewhere solution, if feasible.
That's a cool add-on.
I've used RefControl, by default forging referrers as root of sites
being visited. It doesn't break many sites.
Which is riskier, sending no referrer, or forging as RefControl does?
A quick search suggests that no referrer is worse than a forged one.
> Best,
> -Gordon M.
>
>
More information about the tor-talk
mailing list