著者: jvoisin 日付: To: tails-dev 題目: Re: [Tails-dev] Setting curl's user-agent to the same as Tor
Browser?
On 06/22/2014 11:32 AM, intrigeri wrote: > Hi,
>
> on the one hand, for an attacker that only looks at the user-agent
> header, telling curl to use the same value for it as the Tor Browser
> would make it part of a larger anonymity set.
>
> On the other hand, the fingerprint of curl probably differs in many
> other ways. So, for an attacker that looks at it more closely, a curl
> HTTP client pretending to be Firefox is part of a very small
> anonymity set.
>
> Against which one of these attackers do we want to optimize Tails for? I don't think that tweaking curl is a good idea:
- Making it looking like Firefox for HTTPS won't be an easy task, since
there is a lot of black-magic involved here.
- Against an active attacker, I'm quite sure that she'll find an oracle
anyway.
- A passive attacker on HTTP can most of the time becoming an active one.
So, the only case where this could be useful is clear-text http, which
you shouldn't use over Tor anyway.
