Bug#595375: xul-ext-torbutton: Leaks fingerprintable User-Agent when extensions.torbutton.spoof_english = false

Fri, 03 Sep 2010 08:06:28 -0700 

Package: xul-ext-torbutton
Version: 1.2.5-1
Severity: important
Tags: security

Hi,

Context
=======

I am using the default preferences for the following settings:

pref("extensions.torbutton.set_uagent",true);
pref("extensions.torbutton.useragent_override", "Mozilla/5.0 (Windows; U; 
Windows NT 6.1; LANG; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3");

What works
==========

extensions.torbutton.spoof_english defaults to true in
/usr/share/xul-ext/torbutton/defaults/preferences/preferences.js.

In this default case, the reported User-Agent is:

    "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 
Firefox/3.6.3"

i.e. the LANG placeholder is correctly replaced with a standard
looking locale in the torbutton_set_uagent() function.

What does not work
==================

When extensions.torbutton.spoof_english is set to true the reported
User-Agent is:

    "Mozilla/5.0 (Windows; U; Windows NT 6.1; 
chrome://global/locale/intl.properties; rv:1.9.2.3) Gecko/20100401 
Firefox/3.6.3"

One can see the LANG placeholder is wrongly replaced with
"chrome://global/locale/intl.properties" instead of what is expected
i.e. the value of the "general.useragent.locale" preference setting.

Consequences
============

This leaks usage of Torbutton for userg who have disabled the
spoof_english setting. The Torbutton overridden User-Agent feature is
specifically aimed at preventing such fingerprinting. This bug makes
fingerprinting easier while the user thinks it has been made harder.

Hence the security tag and severity important.

Bye,

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

xul-ext-torbutton depends on no packages.

Versions of packages xul-ext-torbutton recommends:
ii  iceweasel           3.5.11-1             Web browser based on Firefox
ii  polipo              1.0.4.1-1.1~squeeze  a small, caching web proxy
ii  tor                 0.2.1.26-1~squeeze+1 anonymizing overlay network for TC

xul-ext-torbutton suggests no packages.

-- no debconf information

--
  intrigeri <intrig...@boum.org>
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ 
https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
  | Who wants a world in which the guarantee that we shall not
  | die of starvation would entail the risk of dying of boredom ?



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to