Exactly. Say I am the NSA and you are connected to Tor. I know your EMAIL user agent like Thunderbird is leaking data in your mail header, like Time Zone data. I know you are connected to Tor and that I want to associate your IP to your email. I fiddle your Time Zone response data to something esoteric, check all the emails that came in over all Tor connections, and associate you with that connection. Yes.
There are even more things you can do as well, like forcing an ETAG or Last-Modified header in order to track the client as it switched from one network to another, eg laptop moved from one insecure network to another. Further, there are surely unknown parsing vulnerabilities in the response data that you will only find out later. HTTPS , especially with HSTS and HPKP makes abusing such issues much harder. Let's Encrypt Everything with HTTPS. Unencrypted HTTP is dead. """ $ curl -s 'http://geoip.ubuntu.com' -D - | egrep '^(Last|ETag)' Last-Modified: Wed, 07 Sep 2011 05:58:25 GMT ETag: "228049-4-4ac53a1e14240" """ References: https://trac.torproject.org/projects/tor/ticket/6314 https://www.chromium.org/Home/chromium-security/client-identification- mechanisms#TOC-Cache-metadata:-ETag-and-Last-Modified https://mortoray.com/2015/05/11/how-http-cache-headers-betray-your- privacy/ https://letsencrypt.org/ ** Bug watch added: trac.torproject.org/projects/tor/ #6314 https://trac.torproject.org/projects/tor/ticket/6314 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- ubuntu-bugs mailing list firstname.lastname@example.org https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs