[liberationtech] Anonymity / privacy considerations of HTTP 'referer' information

Wed May 14 12:58:54 PDT 2014

Thanks for your feedback Nick. I have dropped the TOR folks a line here:

https://tor.stackexchange.com/questions/2098/is-it-a-serious-anonymity-privacy-issue-that-tor-doesnt-scrub-http-referer-in

And, as Natanael pointed out, there are Firefox extensions to stop this particular information leak. I'm using this one:
https://github.com/meh/smart-referer

HTH,

~T

----- Original Message -----
From: "Nick" <nick at njw.me.uk>
To: "liberationtech" <liberationtech at lists.stanford.edu>
Sent: Wednesday, May 14, 2014 7:03:47 AM
Subject: Re: [liberationtech] Anonymity / privacy considerations of HTTP 'referer' information

Quoth Tomer Altman:
> It occurred to me that the HTTP 'referer' header field leaks information
> about your browsing history.

Privoxy also can hide the referrer header (I can't remember if it 
does by default).

> I figured that if any project would be sensitive to this kind of leak,
> it would be the TOR project. So, using the latest version of the TOR
> Browser, I created a hyperlink to the following URL on a test web page
> of mine:
> 
> http://www.whatismyreferer.com/
> 
> Sure enough, clicking on the test link on my personal webpage took
> that URL, and the webpage dutifully reported the HTTP 'referer' header
> information. It was not blocked nor obscured.

That's interesting, and surprising. Perhaps you should file a bug to 
Tor project. It may be by design (probably there are a few sites out 
there that break without the referer, but very few; I've had it 
disabled for years and not noticed much at all), but maybe they just 
haven't considered it yet.

> The problem is that people might visit websites that fully or
> partially identify them, and then follow links to sites that will then
> track/log the HTTP 'referer' information. 

Yeah, sounds like a reasonable concern to me.

Nick
-- 
Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.