Comment 2 for bug 1617535

Exactly. Say I am the NSA and you are connected to Tor. I know your EMAIL user agent like Thunderbird is leaking data in your mail header, like Time Zone data. I know you are connected to Tor and that I want to associate your IP to your email. I fiddle your Time Zone response data to something esoteric, check all the emails that came in over all Tor connections, and associate you with that connection. Yes.

There are even more things you can do as well, like forcing an ETAG or Last-Modified header in order to track the client as it switched from one network to another, eg laptop moved from one insecure network to another.

Further, there are surely unknown parsing vulnerabilities in the response data that you will only find out later. HTTPS , especially with HSTS and HPKP makes abusing such issues much harder.

Let's Encrypt Everything with HTTPS. Unencrypted HTTP is dead.

"""
$ curl -s 'http://geoip.ubuntu.com' -D - | egrep '^(Last|ETag)'
Last-Modified: Wed, 07 Sep 2011 05:58:25 GMT
ETag: "228049-4-4ac53a1e14240"
"""

References:

https://trac.torproject.org/projects/tor/ticket/6314

https://www.chromium.org/Home/chromium-security/client-identification-mechanisms#TOC-Cache-metadata:-ETag-and-Last-Modified

https://mortoray.com/2015/05/11/how-http-cache-headers-betray-your-privacy/

https://letsencrypt.org/