Re: [tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
-+-
 Reporter:  sysrqb   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-parity, user-|  Actual Points:
  feedback, blog |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-

Comment (by gk):

 #33465 is a duplicate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
-+-
 Reporter:  sysrqb   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  High |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-parity, user-|  Actual Points:
  feedback, blog |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * priority:  Medium => High
 * cc: dujaus (added)


Comment:

 #30925 is a duplicate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
-+-
 Reporter:  sysrqb   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-parity, user-|  Actual Points:
  feedback, blog |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by gk):

 * cc: sigil12 (added)


Comment:

 #30772 is a duplicate.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
-+-
 Reporter:  sysrqb   |  Owner:  tbb-
 |  team
 Type:  defect   | Status:  new
 Priority:  Medium   |  Milestone:
Component:  Applications/Tor Browser |Version:
 Severity:  Normal   | Resolution:
 Keywords:  tbb-mobile, tbb-parity, user-|  Actual Points:
  feedback, blog |
Parent ID:   | Points:
 Reviewer:   |Sponsor:
-+-
Changes (by wayward):

 * keywords:  tbb-mobile, tbb-parity => tbb-mobile, tbb-parity, user-
 feedback, blog


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
--+--
 Reporter:  sysrqb|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-mobile, tbb-parity|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by sysrqb):

 Replying to [comment:4 gk]:
 > Replying to [comment:3 sysrqb]:
 [snip]
 > > I wonder what we should do on Android. Maybe we should start with
 always spoofing the header for now, and implement a better fix later?
 >
 > I am inclined to say "no" as the usability issues are potentially quite
 severe. There are a bunch of ways to get the browser locale (we still have
 some open for desktop) even though header spoofing *is* active (see e.g.
 #30304). So the benefit might not be as expected (this is *not* meant in
 the sense that we should not fix it because there are other ways to obtain
 the locale).

 Maybe we should add a warning/notification somewhere? Maybe we should
 check the current locale when the app starts and show a warning if
 `locale` != `en-US`? It makes me a little uncomfortable that we default to
 `en-US`, but I don't have a better answer right now.

 From a usability perspective, we should sending the correct language
 header.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
--+--
 Reporter:  sysrqb|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-mobile, tbb-parity|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * keywords:  tbb-mobile => tbb-mobile, tbb-parity


Comment:

 Replying to [comment:3 sysrqb]:
 > Replying to [comment:2 acat]:
 > > I think what happens in desktop (with lang other than en-US) is that
 on first navigation there is the prompt asking whether to spoof to
 english, if the user accepts then it sets the `privacy.spoof_english =  2`
 pref. Then, the pref listener in
 `toolkit/components/resistfingerprinting/RFPHelper.jsm` sets the
 `intl.accept_languages = en-US,en`. In Android I don't see
 `privacy.spoof_english` pref, and then even if set manually to 2,
 `intl.accept_languages` is not changed. I wonder what is failing here...
 Changing `intl.accept_languages = en-US,en` manually works, and then the
 `accept-language` header is spoofed correctly.
 >
 > Ah, thanks! That sounds like something we want on Android, too. It seems
 it was only [https://gitweb.torproject.org/tor-
 browser.git/commit/?h=6806c911a3b9e5d878af4f99cddebadc0ba12808
 implemented] on Desktop (not surprisingly). I wonder what we should do on
 Android. Maybe we should start with always spoofing the header for now,
 and implement a better fix later?

 I am inclined to say "no" as the usability issues are potentially quite
 severe. There are a bunch of ways to get the browser locale (we still have
 some open for desktop) even though header spoofing *is* active (see e.g.
 #30304). So the benefit might not be as expected (this is *not* meant in
 the sense that we should not fix it because there are other ways to obtain
 the locale).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
--+--
 Reporter:  sysrqb|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-mobile|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by sysrqb):

 * keywords:   => tbb-mobile


Comment:

 Replying to [comment:2 acat]:
 > I think what happens in desktop (with lang other than en-US) is that on
 first navigation there is the prompt asking whether to spoof to english,
 if the user accepts then it sets the `privacy.spoof_english =  2` pref.
 Then, the pref listener in
 `toolkit/components/resistfingerprinting/RFPHelper.jsm` sets the
 `intl.accept_languages = en-US,en`. In Android I don't see
 `privacy.spoof_english` pref, and then even if set manually to 2,
 `intl.accept_languages` is not changed. I wonder what is failing here...
 Changing `intl.accept_languages = en-US,en` manually works, and then the
 `accept-language` header is spoofed correctly.

 Ah, thanks! That sounds like something we want on Android, too. It seems
 it was only [https://gitweb.torproject.org/tor-
 browser.git/commit/?h=6806c911a3b9e5d878af4f99cddebadc0ba12808
 implemented] on Desktop (not surprisingly). I wonder what we should do on
 Android. Maybe we should start with always spoofing the header for now,
 and implement a better fix later?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
--+--
 Reporter:  sysrqb|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by acat):

 I think what happens in desktop (with lang other than en-US) is that on
 first navigation there is the prompt asking whether to spoof to english,
 if the user accepts then it sets the `privacy.spoof_english =  2` pref.
 Then, the pref listener in
 `toolkit/components/resistfingerprinting/RFPHelper.jsm` sets the
 `intl.accept_languages = en-US,en`. In Android I don't see
 `privacy.spoof_english` is not set, and then even if set manually to 2,
 `intl.accept_languages` is not changed. I wonder what is failing here...
 Changing `intl.accept_languages = en-US,en` manually works, and then the
 `accept-language` header is spoofed correctly.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
--+--
 Reporter:  sysrqb|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Description changed by sysrqb:

Old description:

> A [https://blog.torproject.org/comment/281830#comment-281830 blog user]
> mentions each request includes the chosen browser language. Do we
> normalize this on desktop such that we only send `en-US` regardless of
> the browser's localization?
>
> Using https://wtfismyip.com/headers
>
> With `en-US` as the browser locale:
> {{{
> host: wtfismyip.com
> connection:
> close user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0)
> Gecko/20100101 Firefox/60.0
> accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> accept-language: en-US,en;q=0.5
> accept-encoding: gzip, deflate, br
> upgrade-insecure-requests: 1
> }}}
>

> With `ru-RU` as the browser locale:
> {{{
> host: wtfismyip.com
> connection: close
> user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0) Gecko/20100101
> Firefox/60.0
> accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> accept-language: ru,ru-RU;q=0.8,en-US;q=0.5,en;q=0.3
> accept-encoding: gzip, deflate, br
> upgrade-insecure-requests: 1
> }}}

New description:

 A [https://blog.torproject.org/comment/281830#comment-281830 blog user]
 mentions each request includes the chosen browser language. Do we
 normalize this on desktop such that we only send `en-US` regardless of the
 browser's localization?

 Using https://wtfismyip.com/headers

 With `en-US` as the browser locale:
 {{{
 host: wtfismyip.com
 connection: close
 user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0) Gecko/20100101
 Firefox/60.0
 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 accept-language: en-US,en;q=0.5
 accept-encoding: gzip, deflate, br
 upgrade-insecure-requests: 1
 }}}


 With `ru-RU` as the browser locale:
 {{{
 host: wtfismyip.com
 connection: close
 user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0) Gecko/20100101
 Firefox/60.0
 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 accept-language: ru,ru-RU;q=0.8,en-US;q=0.5,en;q=0.3
 accept-encoding: gzip, deflate, br
 upgrade-insecure-requests: 1
 }}}

--

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

[Tor Bug Tracker & Wiki]

#30605: accept-language header leaks browser localization
--+--
 Reporter:  sysrqb|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal|   Keywords:
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+--
 A [https://blog.torproject.org/comment/281830#comment-281830 blog user]
 mentions each request includes the chosen browser language. Do we
 normalize this on desktop such that we only send `en-US` regardless of the
 browser's localization?

 Using https://wtfismyip.com/headers

 With `en-US` as the browser locale:
 {{{
 host: wtfismyip.com
 connection:
 close user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0)
 Gecko/20100101 Firefox/60.0
 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 accept-language: en-US,en;q=0.5
 accept-encoding: gzip, deflate, br
 upgrade-insecure-requests: 1
 }}}


 With `ru-RU` as the browser locale:
 {{{
 host: wtfismyip.com
 connection: close
 user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0) Gecko/20100101
 Firefox/60.0
 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 accept-language: ru,ru-RU;q=0.8,en-US;q=0.5,en;q=0.3
 accept-encoding: gzip, deflate, br
 upgrade-insecure-requests: 1
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs