Re: [Tails-dev] Faking htpdate user agent worth it?

Delete this message

Reply to this message
Autor: Jacob Appelbaum
Data:  
Para: tails-dev
Assunto: Re: [Tails-dev] Faking htpdate user agent worth it?
adrelanos:
> Jacob Appelbaum:
>> adrelanos:
>>>>> Thus my suggestions:
>>>>> - Keep only header. Safe users traffic, Tor's traffic and website traffic.
>>>>> - Drop the user agent setting, it only gives a false sense of being in
>>>>> the same anonymity set as Tor Button.
>>>>
>>>> That is not the goal - the point is that you will say, drop that and no
>>>> one else will do so - so you will entirely stick out.
>>>
>>> Well, don't drop it individually or right away. Drop it in a new release.
>>>
>>
>> And I am saying - TBB won't drop their user agent. So you won't look
>> like them - you will look like you.
>
> What TBB does is not important for this case. You will look like wget,
> so or so. See below.


It is important to look like TBB or another case - if you use TBB to
fetch a single item - lets say an image like a favicon - I'd probably
want to match the headers it sends. Per request.

>
>>>>>
>>>>> [1] Not exactly impossible. The curl devs would have to change too much,
>>>>> extremely unlikely.
>>>>
>>>> I don't use curl with tlsdate.
>>>
>>> Replace curl with a placeholder for any command line downloader.
>>>
>>
>> I think you are confused.
>
> I don't want to deny the possibility.
>
>> If I send a GET request with all the headers
>> sent by say, Tor Browser, that *single* GET request should look
>> identical. That is my goal.
>
> A honorable goal.
>
> I made a quick test with Wireshare visiting cnn.com as an example. With
> Tor Browser I had the page open for 1 minute. It connects to at least 6
> different IPs (just saying no criticism), downloads (temporary to show
> in browser) lots of pictures. The log grows much faster.
>
> Then I issued "wget cnn.com". It only connects to two IPs (1
> redirection). The log is much smaller. Wget does not fetch pictures.
>


wget -m would but that is rather beside the point, I think.

> It's trivial for the website owner, if he wants to, to find out if his
> website gets visited with Tor Browser by a real user or if it gets
> downloaded with a tool like wget.
>


Not really. It is *possible* if someone using TBB to explicitly visit a
single page or fetch a single resource.

> If you use wget, you look like wget, no matter which user agent you
> choose. So what's the point for Tails to add extra identifying bits?
> (curl + Tor Button user agent)
>


The point is that not every single request needs to stand out - in
aggregate, yes, some people may look differently. I'd rather stand out
only in aggregate.

> I think the the user agent switcher feature of command line downloaders
> is not supposed to be a privacy feature. They probable added it to fetch
> different versions of sites, one for firefox, one for mobile phones and
> so on. This does not apply here, since you just want the header for the
> time.


I think you're confused still - a single GET request can be constructed
without the use of a library or another program.

All the best,
Jacob