[liberationtech] Anonymity / privacy considerations of HTTP 'referer' information
Nick
nick at njw.me.uk
Wed May 14 07:03:47 PDT 2014
Quoth Tomer Altman:
> It occurred to me that the HTTP 'referer' header field leaks information
> about your browsing history.
Privoxy also can hide the referrer header (I can't remember if it
does by default).
> I figured that if any project would be sensitive to this kind of leak,
> it would be the TOR project. So, using the latest version of the TOR
> Browser, I created a hyperlink to the following URL on a test web page
> of mine:
>
> http://www.whatismyreferer.com/
>
> Sure enough, clicking on the test link on my personal webpage took
> that URL, and the webpage dutifully reported the HTTP 'referer' header
> information. It was not blocked nor obscured.
That's interesting, and surprising. Perhaps you should file a bug to
Tor project. It may be by design (probably there are a few sites out
there that break without the referer, but very few; I've had it
disabled for years and not noticed much at all), but maybe they just
haven't considered it yet.
> The problem is that people might visit websites that fully or
> partially identify them, and then follow links to sites that will then
> track/log the HTTP 'referer' information.
Yeah, sounds like a reasonable concern to me.
Nick
More information about the liberationtech
mailing list