search

guardianproject / Orweb

We are EOL this project. Please use Lightning Browser or wait for Orfox instead
https://guardianproject.info/2015/06/30/orfox-aspiring-to-bring-tor-browser-to-android/
Other
91 stars 45 forks source link

x-wap-profile and X-Requested-With defeat user-agent, de-anonymize users #54

Open chaos095 opened 10 years ago

chaos095 commented 10 years ago

I'm using Orweb 0.6 via F-Droid. On my phone, Orweb sends the following HTTP headers (among others) via port 8118 to Tor on port 9050: x-wap-profile: http://218.249.47.94/Xianghe/MTK_Phone_JB_UAprofile.xml X-Requested-With: info.guardianproject.browser

I don't know why/where that is added, but these pieces of information certainly defeat the purpose of configurable user-agent strings. (I didn't check this systematically, but I send the above headers with the default User Agent setting and also pretending to be TorBrowserBundle.) People using rare phones (such as myself) are probably identified uniquely.

For the record, here is a sample GET request: GET / HTTP/1.1 Host: heise.de Pragma: no-cache Cache-Control: no-cache Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 x-wap-profile: http://218.249.47.94/Xianghe/MTK_Phone_JB_UAprofile.xml X-Requested-With: info.guardianproject.browser User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 Accept-Encoding: gzip,deflate Accept-Language: de-DE, en-US Accept-Charset: utf-8, utf-16, *;q=0.7 Connection: close

chaos095 commented 10 years ago

The simplest way to check whether you are affected by this issues is probably to go to http://ipcheck.info/ and execute the test. If the test result shows the the x-wap-profile header, you are screwed. I see that on Android 4.2.2 but not on 4.0.3. That header is also present with the stock browser (where X-Requested-With is different: com.android.browser) but not with Firefox.

Here is my workaround, which instructs privoxy (part of Orbot) to remove those headers: I changed /data/data/org.torproject.android/app_bin/privoxy.config by adding the following two lines:

actionsfile user.action
filterfile user.filter

Then I created /data/data/org.torproject.android/user.filter and /data/data/org.torproject.android/user.action.

Contents of user.filter:

CLIENT-HEADER-FILTER: remove-wap-profile Removes x-wap-profile headers.
s@^x-wap-profile:.*@@i

CLIENT-HEADER-FILTER: remove-requested-with Removes X-Requested-With headers.
s@^X-Requested-With:.*@@i

Contents of user.action:

{ \
+client-header-filter{remove-wap-profile} \
+client-header-filter{remove-requested-with} \
}
/ # Match all URLs

The above seems to work, but Orweb should not send those headers in the first place.