Exactly. Say I am the NSA and you are connected to Tor. I know your
EMAIL user agent like Thunderbird is leaking data in your mail header,
like Time Zone data. I know you are connected to Tor and that I want to
associate your IP to your email. I fiddle your Time Zone response data
to something esoteric, check all the emails that came in over all Tor
connections, and associate you with that connection. Yes.
There are even more things you can do as well, like forcing an ETAG or
Last-Modified header in order to track the client as it switched from
one network to another, eg laptop moved from one insecure network to
Further, there are surely unknown parsing vulnerabilities in the
response data that you will only find out later. HTTPS , especially with
HSTS and HPKP makes abusing such issues much harder.
Let's Encrypt Everything with HTTPS. Unencrypted HTTP is dead.
$ curl -s 'http://geoip.ubuntu.com' -D - | egrep '^(Last|ETag)'
Last-Modified: Wed, 07 Sep 2011 05:58:25 GMT
** Bug watch added: trac.torproject.org/projects/tor/ #6314
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
geoip.ubuntu.com does not utilize HTTPS
To manage notifications about this bug go to:
ubuntu-bugs mailing list