On 06/24/2014 06:56 AM, Jacob Appelbaum wrote:
[snip interesting discussion of user-agents for human-driven HTTP clients]
> As for the system itself - I looked at `apt-get update` and found the
> following user agent during a fetch:
>
> GET /debian-backports/dists/squeeze-backports/Release.gpg HTTP/1.1
> Host: backports.debian.org
> Cache-Control: max-age=0
> User-Agent: Debian APT-HTTP/1.3 (0.8.10.3)
> Connection: keep-alive
>
> That seems like it is worth masking as well, especially since it runs
> as root!
While i doubt that changing the User-Agent here will concretely hurt
anything, an adversary who can observe the HTTP request for
squeeze-backports/Release.gpg (and the associated Release, Packages, etc
-- a very distinct traffic pattern) will able to guess with very high
certainty what version of APT is making the connections in the first place.
--dkg