On 08/31/2013 01:50 AM, Gordon Morehouse wrote: > [email protected]: >> I also opened a ticket: >> https://trac.torproject.org/projects/tor/ticket/9623 > >> Currently, when browsing on a hidden service website, when you >> click on a clearnet/hidden service link it sends the current >> address as referer. > >> This is not only an issue about users being tracked. > >> It's also bad for owners of hidden services as the addresses are >> getting discovered. Maybe the user was on a private website which >> nobody should learn, or at least on a private webpage on a public >> website. > > Ouch. Yes, this definitely needs attention. > >> My suggestion is to install >> https://addons.mozilla.org/en-us/firefox/addon/smart-referer/ I >> believe it doesn't break anything major (it has a whitelist feature >> which is very short and includes disqus.com and github.com) and >> just adds another protection against tracking. This would be an >> easy and general solution for both hidden and clearnet websites. > > +1 for the quick and already-tested-elsewhere solution, if feasible.
That's a cool add-on. I've used RefControl, by default forging referrers as root of sites being visited. It doesn't break many sites. Which is riskier, sending no referrer, or forging as RefControl does? A quick search suggests that no referrer is worse than a forged one. > Best, > -Gordon M. > > -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
