Thanks for your feedback Nick. I have dropped the TOR folks a line here: https://tor.stackexchange.com/questions/2098/is-it-a-serious-anonymity-privacy-issue-that-tor-doesnt-scrub-http-referer-in
And, as Natanael pointed out, there are Firefox extensions to stop this particular information leak. I'm using this one: https://github.com/meh/smart-referer HTH, ~T ----- Original Message ----- From: "Nick" <[email protected]> To: "liberationtech" <[email protected]> Sent: Wednesday, May 14, 2014 7:03:47 AM Subject: Re: [liberationtech] Anonymity / privacy considerations of HTTP 'referer' information Quoth Tomer Altman: > It occurred to me that the HTTP 'referer' header field leaks information > about your browsing history. Privoxy also can hide the referrer header (I can't remember if it does by default). > I figured that if any project would be sensitive to this kind of leak, > it would be the TOR project. So, using the latest version of the TOR > Browser, I created a hyperlink to the following URL on a test web page > of mine: > > http://www.whatismyreferer.com/ > > Sure enough, clicking on the test link on my personal webpage took > that URL, and the webpage dutifully reported the HTTP 'referer' header > information. It was not blocked nor obscured. That's interesting, and surprising. Perhaps you should file a bug to Tor project. It may be by design (probably there are a few sites out there that break without the referer, but very few; I've had it disabled for years and not noticed much at all), but maybe they just haven't considered it yet. > The problem is that people might visit websites that fully or > partially identify them, and then follow links to sites that will then > track/log the HTTP 'referer' information. Yeah, sounds like a reasonable concern to me. Nick -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected]. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
