Jose Carlos Norte, developer for the eyeOS virtual desktop project, has discovered an obscure setting in the HTTP GZIP compression format that may help authorities identify the timezone and general location of a Tor-based server.

A long time ago, Web servers started supporting the compression of HTTP requests and responses. When users connected to a Web server, the server would ask their browsers if it supported compression and which compression they would like to use.

As browsers evolved, two HTTP compression formats started being used above other solutions, mainly due to their quick compression operation and relatively small output size. These were GZIP and DEFLATE.

GZIP header leaks server timezone information

Mr. Norte discovered that servers that use the GZIP compression format send compressed data with a header attached. According to the GZIP spec, this header includes a special field where the server writes the date at which the data was gzipped. This date is in the server's local time.

While this is not a big issue for freely advertised servers, for websites hosted on the anonymous TOR network, this can be a very big issue.

Law enforcement agencies could extract the server's compression date from the GZIP header and get a general idea in which timezone a Tor server or .onion website is hosted. While not incredibly useful, this information can be used with other Tor protocol leaks to narrow down the search for Tor-based services.

Default server setups prevent the leak

The good news is that, according to Mr. Norte's research, most Web servers will fill the GZIP compression date header field with zeros by default, citing performance issues.

Nevertheless, Mr. Norte says that some webmasters change this setting manually and that around 10% of the Tor websites he tested included this detail whenever negotiating and sending GZIP-compressed data.

To help webmasters test if their website or Tor .onion site is leaking timezone info via GZIP, Mr. Norte has released a proof-of-concept PHP script.