Re: [Tails-dev] Faking htpdate user agent worth it?

Delete this message

Reply to this message
Autor: adrelanos
Data:  
Para: The Tails public development discussion list
Assunto: Re: [Tails-dev] Faking htpdate user agent worth it?
Jacob Appelbaum:
> adrelanos:
>> Jacob Appelbaum:
>>> intrigeri:
>>>> Hi,
>>>>
>>>> adrelanos wrote (30 Sep 2012 22:25:31 GMT) :
>>>>> I am wondering about this line in /etc/default/htpdate:
>>>>> HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)"
>>>>
>>>> FTR, this is left from the times when htpdate did run wget in the
>>>> clear (without going through Tor).
>>>>
>>>>> Since you are also using curl and only download the header, does
>>>>> faking the Tor Button user agent provide any additional benefit?
>>>>> Couldn't the server quite easily distinguish from real Tor Button
>>>>> users and tails_htp curl users?
>>>>
>>>> It may be worse than what you are suggesting.
>>>>
>>>> If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests,
>>>> then we should probably not pretend to be Torbutton. Does it?
>>>
>>> The more software that pretends to be TorButton - the better, I think.
>>
>> As a political statement?
>
> No. As a feature for feature match - it is true that there are other
> protocol distinguishers and ... so what?
>
>>
>> >From technical view it's impossible [1] to imitate Tor Button with curl.
>> The user agent is just one bit, there are loads of other bits to find
>> out if someone is actually running Tor Browser and curl.
>>
>
> I don't care about curl at all.


Same goes for all command line downloader.

>> Just download for testing cnn.com with curl and look how much traffic
>> has been transfered and how quick it goes, even if fetching the whole
>> page, not just the header. Then watch the same thing in Tor Browser. It
>> fetches loads of pictures and also connects to doubleclick and other
>> third party sites.
>
> Indeed.
>
>>
>> Thus my suggestions:
>> - Keep only header. Safe users traffic, Tor's traffic and website traffic.
>> - Drop the user agent setting, it only gives a false sense of being in
>> the same anonymity set as Tor Button.
>
> That is not the goal - the point is that you will say, drop that and no
> one else will do so - so you will entirely stick out.


Well, don't drop it individually or right away. Drop it in a new release.

>>
>> [1] Not exactly impossible. The curl devs would have to change too much,
>> extremely unlikely.
>
> I don't use curl with tlsdate.


Replace curl with a placeholder for any command line downloader.

> All the best,
> Jacob
>
> _______________________________________________
> tails-dev mailing list
> tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
>