Re: [Tails-dev] Faking htpdate user agent worth it?

Delete this message

Reply to this message
Author: adrelanos
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Faking htpdate user agent worth it?
Jacob Appelbaum:
> adrelanos:
>>>> Thus my suggestions:
>>>> - Keep only header. Safe users traffic, Tor's traffic and website traffic.
>>>> - Drop the user agent setting, it only gives a false sense of being in
>>>> the same anonymity set as Tor Button.
>>>
>>> That is not the goal - the point is that you will say, drop that and no
>>> one else will do so - so you will entirely stick out.
>>
>> Well, don't drop it individually or right away. Drop it in a new release.
>>
>
> And I am saying - TBB won't drop their user agent. So you won't look
> like them - you will look like you.


What TBB does is not important for this case. You will look like wget,
so or so. See below.

>>>>
>>>> [1] Not exactly impossible. The curl devs would have to change too much,
>>>> extremely unlikely.
>>>
>>> I don't use curl with tlsdate.
>>
>> Replace curl with a placeholder for any command line downloader.
>>
>
> I think you are confused.


I don't want to deny the possibility.

> If I send a GET request with all the headers
> sent by say, Tor Browser, that *single* GET request should look
> identical. That is my goal.


A honorable goal.

I made a quick test with Wireshare visiting cnn.com as an example. With
Tor Browser I had the page open for 1 minute. It connects to at least 6
different IPs (just saying no criticism), downloads (temporary to show
in browser) lots of pictures. The log grows much faster.

Then I issued "wget cnn.com". It only connects to two IPs (1
redirection). The log is much smaller. Wget does not fetch pictures.

It's trivial for the website owner, if he wants to, to find out if his
website gets visited with Tor Browser by a real user or if it gets
downloaded with a tool like wget.

If you use wget, you look like wget, no matter which user agent you
choose. So what's the point for Tails to add extra identifying bits?
(curl + Tor Button user agent)

I think the the user agent switcher feature of command line downloaders
is not supposed to be a privacy feature. They probable added it to fetch
different versions of sites, one for firefox, one for mobile phones and
so on. This does not apply here, since you just want the header for the
time.

Cheers,
adrelanos