Exactly. Say I am the NSA and you are connected to Tor. I know your EMAIL user agent like Thunderbird is leaking data in your mail header, like Time Zone data. I know you are connected to Tor and that I want to associate your IP to your email. I fiddle your Time Zone response data to something esoteric, check all the emails that came in over all Tor connections, and associate you with that connection. Yes.
There are even more things you can do as well, like forcing an ETAG or Last-Modified header in order to track the client as it switched from one network to another, eg laptop moved from one insecure network to another. Further, there are surely unknown parsing vulnerabilities in the response data that you will only find out later. HTTPS , especially with HSTS and HPKP makes abusing such issues much harder. Let's Encrypt Everything with HTTPS. Unencrypted HTTP is dead. """ $ curl -s 'http://geoip.ubuntu.com' -D - | egrep '^(Last|ETag)' Last-Modified: Wed, 07 Sep 2011 05:58:25 GMT ETag: "228049-4-4ac53a1e14240" """ References: https://trac.torproject.org/projects/tor/ticket/6314 https://www.chromium.org/Home/chromium-security/client-identification- mechanisms#TOC-Cache-metadata:-ETag-and-Last-Modified https://mortoray.com/2015/05/11/how-http-cache-headers-betray-your- privacy/ https://letsencrypt.org/ ** Bug watch added: trac.torproject.org/projects/tor/ #6314 https://trac.torproject.org/projects/tor/ticket/6314 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
