Re: [Tails-dev] Setting curl's user-agent to the same as Tor…

このメッセージを削除

このメッセージに返信
著者: jvoisin
日付:  
To: tails-dev
題目: Re: [Tails-dev] Setting curl's user-agent to the same as Tor Browser?
On 06/22/2014 11:32 AM, intrigeri wrote:
> Hi,
>
> on the one hand, for an attacker that only looks at the user-agent
> header, telling curl to use the same value for it as the Tor Browser
> would make it part of a larger anonymity set.
>
> On the other hand, the fingerprint of curl probably differs in many
> other ways. So, for an attacker that looks at it more closely, a curl
> HTTP client pretending to be Firefox is part of a very small
> anonymity set.
>
> Against which one of these attackers do we want to optimize Tails for?

I don't think that tweaking curl is a good idea:

- Making it looking like Firefox for HTTPS won't be an easy task, since
there is a lot of black-magic involved here.

- Against an active attacker, I'm quite sure that she'll find an oracle
anyway.

- A passive attacker on HTTP can most of the time becoming an active one.

So, the only case where this could be useful is clear-text http, which
you shouldn't use over Tor anyway.