Author: Jacob Appelbaum Date: To: tails-dev Subject: Re: [Tails-dev] Faking htpdate user agent worth it?
adrelanos: > Jacob Appelbaum:
>> intrigeri:
>>> Hi,
>>>
>>> adrelanos wrote (30 Sep 2012 22:25:31 GMT) :
>>>> I am wondering about this line in /etc/default/htpdate:
>>>> HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)"
>>>
>>> FTR, this is left from the times when htpdate did run wget in the
>>> clear (without going through Tor).
>>>
>>>> Since you are also using curl and only download the header, does
>>>> faking the Tor Button user agent provide any additional benefit?
>>>> Couldn't the server quite easily distinguish from real Tor Button
>>>> users and tails_htp curl users?
>>>
>>> It may be worse than what you are suggesting.
>>>
>>> If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests,
>>> then we should probably not pretend to be Torbutton. Does it?
>>
>> The more software that pretends to be TorButton - the better, I think.
>
> As a political statement?
No. As a feature for feature match - it is true that there are other
protocol distinguishers and ... so what?
>
>>From technical view it's impossible [1] to imitate Tor Button with curl.
> The user agent is just one bit, there are loads of other bits to find
> out if someone is actually running Tor Browser and curl.
>
I don't care about curl at all.
> Just download for testing cnn.com with curl and look how much traffic
> has been transfered and how quick it goes, even if fetching the whole
> page, not just the header. Then watch the same thing in Tor Browser. It
> fetches loads of pictures and also connects to doubleclick and other
> third party sites.
Indeed.
>
> Thus my suggestions:
> - Keep only header. Safe users traffic, Tor's traffic and website traffic.
> - Drop the user agent setting, it only gives a false sense of being in
> the same anonymity set as Tor Button.
That is not the goal - the point is that you will say, drop that and no
one else will do so - so you will entirely stick out.
>
> [1] Not exactly impossible. The curl devs would have to change too much,
> extremely unlikely.