Any website on ZeroNet or off of ZeroNet can detect what 'Zites' you currently have in your client.
This is done by making requests to images, scripts, or stylesheets, which ZeroNet does not restrict access to (as of writing this page).
The attack works for any ZeroNet site that has even a single script, stylesheet, or image.
This attack works in or outside of ZeroNet even if you use Tor, or do not use the same browser for ZeroNet.
This should also work with detecting big files and optional files, but this is untested.
This test has been updated to work despite a fix in 0.5.7
Does this matter?
If you don't want people to be able to tell what you have accessed or are sharing, then yes.
This affects users who want to be anonymous within ZeroNet but not outside of it, on the same computer.
How can ZeroNet fix this?
1. remove the /raw/ feature (unfavorable because its usefulness, and the attack may still be possible with timing measurements)
2. Start ZeroNet on a random IP + port. (unfavorable because it would break links and the attack would still be possible from within ZeroNet).
How can I protect against this for my Zite?
Who are you?
Does Tor or Tor Browser help?
Not really. Normal websites can also perform this attack, and it works with or without Tor.