_Originally created by Tails on [#6115 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/6115)_ A bunch of anonymity, privacy and security issues in Polipo were fixed in Christopher Davis’ branch (git://repo.or.cz/polipo.git) and never merged upstream. Even if we have stopped using polipo in iceweasel (tails/tails#5776), we should check if these issues affect Tails… unless we replace polipo with privoxy? (tails/tails#5379) {{toc}} # dontIdentifyToClients Christopher added the `dontIdentifyToClients` option (commits: 80b45940, be116b5, c78beb81) to fix [bug #1082 on Tor Project’s Trac](https://trac.torproject.org/projects/tor/ticket/1082). When set to true, "Polipo tries to avoid transmitting local host name, port, and time zone\". 1. *hostname* and *port*: Tails sets `proxyName = "localhost"` and `proxyPort = 8118` just like the Tor Browser Bundle does => nothing critical could be leaked - at worse, leaking this information restricts the practical anonymity set to the best one Tails can try putting its users into => **non-issue**. 2. Leaking *timezone* information to the outside world would be much more annoying: Tails’ web browser has been trying to spoof a EN-US browser since 0.7 for a reason. However, that information can only be transmitted to a HTTP client connected to Polipo; practically speaking, such a client can be any non-SOCKS-aware applications shipped in Tails; most have other means to gather that information anyway, but e.g. untrusted JavaScript in the web browser might be used to access the aforementioned information and leak it => **research** how to fix this (probably by patching Polipo and pushing that patch [upstream](https://lists.sourceforge.net/lists/listinfo/polipo-users) and/or to Debian; avoiding to ship Polipo at all would be even better, but we’re not here yet) > Tails Git devel branch sets UTC timezone for everybody, so the > timezone leaking issue becomes much less relevant. # others? Security issues that were not privacy-related have supposedly already been applied to the 1.0.4.1-1.1 polipo package shipped in Debian Squeeze. This should be double-checked, though => **research**. Parent Task: tails/tails#5769 ### Related issues - **Related to** tails/tails#5379