summaryrefslogtreecommitdiffstats
path: root/wiki/src/security/Iceweasel_exposes_a_rare_User-Agent.mdwn
blob: e41cb89fd5481eafb01bc5aae91086b7535c7125 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[[!meta date="Fri, 03 Sep 2010 01:15:14 +0000"]]
[[!meta title="Iceweasel exposes a rare User-Agent"]]

[[!tag security/fixed]]

A Torbutton bug ([[!debbug 595375]]) makes Iceweasel expose a
recognizable User-Agent when the "Spoof US English Browser" setting is
disabled, which is the case in T(A)ILS 0.5.

# Impact

System administrators, webmasters and anyone able to read the logs of
a website are able to single out, amongst the visitors, the ones that
are using an affected Torbutton extension *and* have explicitly
disabled the "Spoof US English Browser" setting.

While T(A)ILS users are obviously not the only ones in this case, such
a bug eases fingerprinting.

The client IP address recorded in the webserver logs for such a
connection is the one of the Tor exit node used by the T(A)ILS user at
this time.

# Solution

Upgrade to T(A)ILS 0.6.

# Mitigation on T(A)ILS 0.5

The following steps need to be done immediately after boot, **before**
running Iceweasel.

Run the following command in a terminal:

	gksudo gedit /etc/iceweasel/profile/user.js

... this opens a text editor. Delete the line that says:

	user_pref("extensions.torbutton.spoof_english", false);

... then save and quit. You can now run Iceweasel.

Beware! Changing this setting in the Torbutton preferences window is
**not** effective.

# Affected versions

Torbutton 1.2.5, included in T(A)ILS 0.5