Re: [Tails-dev] Faking htpdate user agent worth it?

Delete this message

Reply to this message
Autor: Jacob Appelbaum
Data:  
Dla: tails-dev
Temat: Re: [Tails-dev] Faking htpdate user agent worth it?
adrelanos:
> Jacob Appelbaum:
>> intrigeri:
>>> Hi,
>>>
>>> adrelanos wrote (30 Sep 2012 22:25:31 GMT) :
>>>> I am wondering about this line in /etc/default/htpdate:
>>>> HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)"
>>>
>>> FTR, this is left from the times when htpdate did run wget in the
>>> clear (without going through Tor).
>>>
>>>> Since you are also using curl and only download the header, does
>>>> faking the Tor Button user agent provide any additional benefit?
>>>> Couldn't the server quite easily distinguish from real Tor Button
>>>> users and tails_htp curl users?
>>>
>>> It may be worse than what you are suggesting.
>>>
>>> If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests,
>>> then we should probably not pretend to be Torbutton. Does it?
>>
>> The more software that pretends to be TorButton - the better, I think.
>
> As a political statement?


No. As a feature for feature match - it is true that there are other
protocol distinguishers and ... so what?

>
>>From technical view it's impossible [1] to imitate Tor Button with curl.
> The user agent is just one bit, there are loads of other bits to find
> out if someone is actually running Tor Browser and curl.
>


I don't care about curl at all.

> Just download for testing cnn.com with curl and look how much traffic
> has been transfered and how quick it goes, even if fetching the whole
> page, not just the header. Then watch the same thing in Tor Browser. It
> fetches loads of pictures and also connects to doubleclick and other
> third party sites.


Indeed.

>
> Thus my suggestions:
> - Keep only header. Safe users traffic, Tor's traffic and website traffic.
> - Drop the user agent setting, it only gives a false sense of being in
> the same anonymity set as Tor Button.


That is not the goal - the point is that you will say, drop that and no
one else will do so - so you will entirely stick out.

>
> [1] Not exactly impossible. The curl devs would have to change too much,
> extremely unlikely.


I don't use curl with tlsdate.

All the best,
Jacob