Re: [Tails-dev] Faking htpdate user agent worth it?

Jacob Appelbaum:
> intrigeri:
>> Hi,
>>
>> adrelanos wrote (30 Sep 2012 22:25:31 GMT) :
>>> I am wondering about this line in /etc/default/htpdate:
>>> HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)"
>>
>> FTR, this is left from the times when htpdate did run wget in the
>> clear (without going through Tor).
>>
>>> Since you are also using curl and only download the header, does
>>> faking the Tor Button user agent provide any additional benefit?
>>> Couldn't the server quite easily distinguish from real Tor Button
>>> users and tails_htp curl users?
>>
>> It may be worse than what you are suggesting.
>>
>> If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests,
>> then we should probably not pretend to be Torbutton. Does it?
>
> The more software that pretends to be TorButton - the better, I think.

As a political statement?

>From technical view it's impossible [1] to imitate Tor Button with curl.
The user agent is just one bit, there are loads of other bits to find
out if someone is actually running Tor Browser and curl.

Just download for testing cnn.com with curl and look how much traffic
has been transfered and how quick it goes, even if fetching the whole
page, not just the header. Then watch the same thing in Tor Browser. It
fetches loads of pictures and also connects to doubleclick and other
third party sites.

Thus my suggestions:
- Keep only header. Safe users traffic, Tor's traffic and website traffic.
- Drop the user agent setting, it only gives a false sense of being in
the same anonymity set as Tor Button.

[1] Not exactly impossible. The curl devs would have to change too much,
extremely unlikely.