Re: User-Agent strings, privacy and Debian browsers

2007-10-04 Thread Jeremiah Foster 


On Oct 4, 2007, at 11:59 AM, Mark Brown wrote:


On Thu, Oct 04, 2007 at 10:41:51AM +0200, Jeremiah Foster wrote:

This is most likely apocryphal. If there is any truth in the above  
link, it
has been blown way out of proportion. Nobody gets arrested for  
using lynx,
which is what that link says. There is little evidence to  
corroborate the

story so I would dismiss this as a red herring.


It did make mainstream sites linke the BBC:

   http://news.bbc.co.uk/1/hi/england/london/4195339.stm


No it didn't. If you read that link carefully, you will find _no_  
reference to lynx. Do not misrepresent the facts, people will become  
confused.


The article mentioned above (and cited previously) merely talks about  
some one who "attempted" to "hack" a BT site. This has nothing to do  
with user agent strings.


Jeremiah


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-10-04 Thread Mark Brown 
On Thu, Oct 04, 2007 at 10:41:51AM +0200, Jeremiah Foster wrote:

> This is most likely apocryphal. If there is any truth in the above link, it 
> has been blown way out of proportion. Nobody gets arrested for using lynx, 
> which is what that link says. There is little evidence to corroborate the 
> story so I would dismiss this as a red herring.

It did make mainstream sites linke the BBC:

   http://news.bbc.co.uk/1/hi/england/london/4195339.stm

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."


signature.asc
Description: Digital signature

Re: User-Agent strings, privacy and Debian browsers

2007-10-04 Thread Jeremiah Foster 


On Oct 1, 2007, at 7:59 PM, Moritz Muehlenhoff wrote:


Joey Hess wrote:

Surely packages.debian.org is not a good example of a site with
generally few Debian users.

The scenario seems more likely to me on small non-technical sites  
that
only a few Debian unstable users are likely to visit. For special  
fun,

try browsing from an unusual architecture; that's in the user-agent
string too.


http://linuxreviews.org/news/2005/01/28_0001/


This is most likely apocryphal. If there is any truth in the above  
link, it has been blown way out of proportion. Nobody gets arrested  
for using lynx, which is what that link says. There is little  
evidence to corroborate the story so I would dismiss this as a red  
herring.


Jeremiah


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-10-01 Thread Moritz Muehlenhoff 
Joey Hess wrote:
> Surely packages.debian.org is not a good example of a site with
> generally few Debian users.
>
> The scenario seems more likely to me on small non-technical sites that
> only a few Debian unstable users are likely to visit. For special fun,
> try browsing from an unusual architecture; that's in the user-agent
> string too.

http://linuxreviews.org/news/2005/01/28_0001/ 

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-29 Thread Bernd Zeimetz 
Sam Leon wrote:
> My only complaint is that alot of website traffic analyzer programs pick
> up the debian iceweasel browser as "unknown browser" and "unknown
> operating system"


If they'd do their job right they'd look for the gecko engine and it's
version and not on the name of the browser.

Compare those lines and tell me where the problem is that they're not
able to recognize the operating system right, just because it's called
Iceweasel.

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.6) Gecko/20070723
Iceweasel/2.0.0.6 (Debian-2.0.0.6-1)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20070914
Firefox/2.0.0.7


I still can't see any fault of Debian here.

-- 
Bernd Zeimetz
<[EMAIL PROTECTED]> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-28 Thread Ben Finney 
Sam Leon <[EMAIL PROTECTED]> writes:

> My only complaint is that alot of website traffic analyzer programs
> pick up the debian iceweasel browser as "unknown browser" and
> "unknown operating system"

That's a bug in those web sites, of course. They shouldn't even be
trying to sniff User-Agent to determine what document to send, they
should send a standards-compliant document.

I do appreciate, of course, that most sites with this bug also have
the "doesn't respond well to feedback" bug.

-- 
 \   "The generation of random numbers is too important to be left |
  `\ to chance."  -- Robert R. Coveyou |
_o__)  |
Ben Finney


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-28 Thread Sam Leon 
My only complaint is that alot of website traffic analyzer programs pick 
up the debian iceweasel browser as "unknown browser" and "unknown 
operating system"



Sam


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-27 Thread Drew Parsons 
Peter Eckersley wrote:
> Consider for a moment a typical User-Agent string sent by a Debian web 
> browser:
> 
> Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070802 
> Iceape/1.1.4 (Debian-1.1.4-1)
> 
> Unfortunately, the fact that this information identifies a specific
> package and version of that package means that Debian users (already a
> select group) have their browsing identities further distinguished by
> their User-Agent strings.
> ...
> What do people think of picking a single User-Agent string for all
> versions of all of Debian's Gecko-based browsers?


>From the other responses, it seems clear that we do not want to do this
for technical reasons.

Your concern addresses a potential social problem, not a technical
problem. Perhaps you will have more success getting us to appreciate
what you're trying to say if you can explain it more thoroughly in
social terms?  

That is, what problem are you trying to solve exactly? 

Can you provide actual examples where identification by User-Agent has
led to tangible harm, or may be reasonably expected to lead to harm in
the near future, rather than than simply being some hypothetical tool
open to abuse by some future tyrannical government or corporation?

If we can be convinced the actual danger is real, then the technical
solution is of course trivial.

Drew


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-27 Thread Michelle Konzack 
Am 2007-09-22 11:16:55, schrieb Peter Eckersley:
> But maybe you use open wifi networks, and other Debian users also use
> those networks.  Maybe there are other Debian users behind your NAT.
> Maybe your friends come over sometimes and they also use Debian.  In
> those cases, standardising the User-Agent string increases the size of
> your anonymity sets for various activities.

...and if you have a faulty browser in your network?
(e.g. forgotten to make a security-update or an interrupted one)

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: User-Agent strings, privacy and Debian browsers

2007-09-27 Thread Michelle Konzack 
Sorry for the late reply but currently I am porting a new architecture
and have not very much time...

Am 2007-09-21 18:03:05, schrieb Peter Eckersley:
> Consider for a moment a typical User-Agent string sent by a Debian web 
> browser:
> 
> Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070802 
> Iceape/1.1.4 (Debian-1.1.4-1)
> 
> Unfortunately, the fact that this information identifies a specific
> package and version of that package means that Debian users (already a
> select group) have their browsing identities further distinguished by
> their User-Agent strings.

Which quiet helpful IF YOU NEED complex websites which MUST work
with ANY browsers

> This means, in practice, that many sites will be able to track Debian
> users by their User-Agent, even if (say) the user is blocking cookies or
> limiting them to a single session and is changing IP address regularly.

Tracking $USER is not possibel if you check the popularity-contest.
Mean:  there 100th of thousands Debian-User using the same Program.

> What do people think of picking a single User-Agent string for all
> versions of all of Debian's Gecko-based browsers?

Which leed to errors while trying to resolv bugs.

> Would there be any serious harm in terms of browser debugging?  Are
> there many sites which usefully treat different Gecko browsers
> differently?

Yes, at least my Website an some Intranet-Sites of the french military...

> As a far more hypothetical question, what would people think of picking
> a single User-Agent for Gecko-based browsers for a larger set of
> GNU/Linux distributions?  Obviously, there is much more politics there,
> because any distributions that joined would be losing the ability to
> measure their desktop market share by looking at web statistics.

Thanks, Greetings and nice Day
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
Michelle Konzack   Apt. 917  ICQ #328449886
   50, rue de Soultz MSN LinuxMichi
0033/6/6192519367100 Strasbourg/France   IRC #Debian (irc.icq.com)


signature.pgp
Description: Digital signature

Re: User-Agent strings, privacy and Debian browsers

2007-09-25 Thread Jeremiah Foster 


On Sep 23, 2007, at 1:39 AM, Joerg Jaspert wrote:

On 11150 March 1977, Peter Eckersley wrote:

This is highly debateable. There may be tens or thousands of  
users of

the same package visiting a web site.

I've seen reports from very large sites indicating that User-Agent
strings are almost as useful as cookies for tracking their users.


I cant believe this. Looking at the stats from packages.debian.org  
- U-A
is the worst possible way to "track users". Would be totally dumb  
to try

something with U-A:


Whether it is dumb or not, it is widely used.


Same for anything matching "Firefox/", has 467789 total hits,
with more detail, first 15 rows we get
  89003 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/ 
20061201 Firefox/2.0.0.6 (Ubuntu-feisty)
  51159 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7)  
Gecko/20070914 Firefox/2.0.0.7
  21879 Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7)  
Gecko/20070914 Firefox/2.0.0.7
  11289 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/ 
20061201 Firefox/2.0.0.3 (Ubuntu-feisty)
  10975 Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.7)  
Gecko/20070914 Firefox/2.0.0.7
  10217 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)  
Gecko/20070725 Firefox/2.0.0.6
   8542 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.6) Gecko/ 
20061201 Firefox/2.0.0.6 (Ubuntu-feisty)
   7572 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.7)  
Gecko/20070914 Firefox/2.0.0.7
   6029 Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.7)  
Gecko/20070914 Firefox/2.0.0.7
   5379 Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.7)  
Gecko/20070914 Firefox/2.0.0.7
   4885 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/ 
20070914 Firefox/2.0.0.7
   4859 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.7)  
Gecko/20070914 Firefox/2.0.0.7
   4606 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/ 
20070725 Firefox/2.0.0.6
   4549 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/ 
20070919 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6
   4472 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: 
1.8.1.7) Gecko/20070914 Firefox/2.0.0.7


And thats a quick and very inaccurate way to do it. But it nicely  
shows
that modifying your UA (or forcing others to do so) does not gain  
you or

anyone else anything. The only effect you have is to make statistics
more unusable than they already are.


I think that is the stated goal.


I am still not sure what the issue is from a privacy standpoint. Is  
it that the EFF fears that information in web server logs might point  
to a particular user because that user could be identified by the  
package number of the web browser they are using as stated in the UA  
string? This seems a pretty flimsy legal premise to identify someone  
before a court. Not least because that string is completely malleable.


Furthermore, the second that package gets updated, the string will  
change. Packages can change frequently, at least in comparison to new  
versions of debian itself. Any change from upstream should bump that  
version string you speak of, as well as a new package inside debian  
(the last bit of the version string is often the version of the  
debian package, if the package is not debian native. i.e. the -1  
ending in Debian-1.1.4-1). So the package version is a volatile  
string and not something that a web site analytics software tool  
(like yaalr for instance :) ) would use to effectively "track" the user.


Furthermore, it seems highly unlikely that a web site would drill  
down so low into the UA string to get this data and use that as a  
unique identification. What purpose would that serve? Certainly no  
web site relies on the package version number of Iceweasel or Firefox  
to be rendered correctly, and if so they would more likely look for  
the version string of the software itself, ignoring any debian  
packaging.


I could see one scenario where this might have relevance. That would  
be if the UA string was logged on several servers. For example, our  
hypothetical user goes to stealmp3.com and leaves her user string.  
Then she goes to hacktheNSA.org leaving her version string. She  
carefully refused any cookies and used different IP addresses, but  
the version string shows which version of the Iceweasel package she  
used and the authorities know that that package was only available in  
a two week period - coincidentally the same time as our user was  
surfing. The authorities (or RIAA) use this information to narrow  
down the network and potentially the location of the user (through  
geolocation perhaps, but that is also unreliable).


But this scenario seems highly implausible.

Jeremiah




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-25 Thread Jeremiah Foster 


On Sep 22, 2007, at 8:18 PM, Peter Eckersley wrote:

On Sep 22, Marco D'Itri <[EMAIL PROTECTED]> wrote:

On Sep 22, Peter Eckersley <[EMAIL PROTECTED]> wrote:


This means, in practice, that many sites will be able to track
Debian users by their User-Agent, even if (say) the user is blocking
cookies or limiting them to a single session and is changing IP
address regularly.


This is highly debateable. There may be tens or thousands of users of
the same package visiting a web site.


I've seen reports from very large sites indicating that User-Agent
strings are almost as useful as cookies for tracking their users.


There is no question that many, if not all, web sites that track  
visitors use the UA string in some way or other. Often it is used for  
tracking and more commonly it is used to create work-arounds for non- 
standard compliance. For example IE 6 has some quirky CSS behavior  
that people often have to consider. Or people use the UA string with  
the IP and create a hash that is the 'signature' of the visitor. This  
of course breaks easily but it is still done.


Jeremiah


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-23 Thread Martin Uecker 
Joey Hess <[EMAIL PROTECTED]>:
> Joerg Jaspert wrote:
> > > On 11150 March 1977, Peter Eckersley wrote:
> > > > I've seen reports from very large sites indicating that
> > > > User-Agent
> > > > strings are almost as useful as cookies for tracking their
> > > > users.
> > > 
> > > I cant believe this. Looking at the stats from packages.debian.org
> > > - U-A
> > > is the worst possible way to "track users". Would be totally dumb
> > > to try
> > > something with U-A:
> >
> > Surely packages.debian.org is not a good example of a site with
> > generally few Debian users.

Anyway, you would combine User-Agent with other clues.

Martin



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-23 Thread Mark Brown 
On Sat, Sep 22, 2007 at 12:39:25PM -0700, Peter Eckersley wrote:
> On Sat, Sep 22, 2007  at 11:36:41 +0100, Mark Brown wrote:

> > I would strongly expect that any user sufficiently concerned about
> > these issues to take active steps like those would be willing to use

> I think this misunderstands the problem.  Having stronger privacy is
> like an insurance policy: most of the people who end up having needed it
> never knew they were going to need it.  So they weren't going to have
> gone out and installed Privoxy (maybe with Tor) /and/ then examined it
> closely enough to realise that it doesn't alter their User-Agent by
> default, and configured it to masquerade as Firefox on Windows or
> something. 

That sounds like an argument for improving the default configuration of
privoxy and similar tools more than anything else.  Like I say, you're
explicitly talking about users who have already taken active steps to
protect their privacy.

> Which brings us to a separate point: it's no use to have Privoxy
> configured to block User-Agent strings, since that means you'll be the
> one person with no User-Agent, which gives you an even smaller anonymity
> sets than the default debian packages.  Yes, smart users will copy

Right; I've never actually seen an implementation of this feature that
didn't substitute in a new browser string rather than simply removing
the existing one.  This feature is more commonly used to work around
browser detection in web sites than for privacy reasons so most
implementations actually come with a prepreparaed list of common user
agent strings and offer the ability to specify something else only as an
advanced option.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."


signature.asc
Description: Digital signature

Re: User-Agent strings, privacy and Debian browsers

2007-09-22 Thread Joey Hess 
Joerg Jaspert wrote:
> On 11150 March 1977, Peter Eckersley wrote:
> > I've seen reports from very large sites indicating that User-Agent
> > strings are almost as useful as cookies for tracking their users.
> 
> I cant believe this. Looking at the stats from packages.debian.org - U-A
> is the worst possible way to "track users". Would be totally dumb to try
> something with U-A:

Surely packages.debian.org is not a good example of a site with
generally few Debian users.

The scenario seems more likely to me on small non-technical sites that
only a few Debian unstable users are likely to visit. For special fun,
try browsing from an unusual architecture; that's in the user-agent
string too.

-- 
see shy jo


signature.asc
Description: Digital signature

Re: User-Agent strings, privacy and Debian browsers

2007-09-22 Thread Joerg Jaspert 
On 11150 March 1977, Peter Eckersley wrote:

>> This is highly debateable. There may be tens or thousands of users of
>> the same package visiting a web site.
> I've seen reports from very large sites indicating that User-Agent
> strings are almost as useful as cookies for tracking their users.

I cant believe this. Looking at the stats from packages.debian.org - U-A
is the worst possible way to "track users". Would be totally dumb to try
something with U-A:

Lets take the access log from packages.debian.org which starts at
20/Sep/2007:06:55:10 + which has 2576180 lines in it right now.

Looking for "MSIE 6.0" we have 97961 hits,
with more detail, first 15 rows we get
  13756 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  12985 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322)
   6252 Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
   6048 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322; .NET CLR 2.0.50727)
   4627 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
   4505 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
2.0.50727)
   3371 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
   2321 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; 
.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
   1724 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
   1335 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
   1309 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; 
.NET CLR 2.0.50727)
   1256 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
2.0.50727; .NET CLR 1.1.4322)
   1235 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
   1196 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
909 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
1.1.4322; InfoPath.1)

which is most of them.

Same for anything matching "Firefox/", has 467789 total hits,
with more detail, first 15 rows we get
  89003 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20061201 
Firefox/2.0.0.6 (Ubuntu-feisty)
  51159 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) 
Gecko/20070914 Firefox/2.0.0.7
  21879 Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7) Gecko/20070914 
Firefox/2.0.0.7
  11289 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 
Firefox/2.0.0.3 (Ubuntu-feisty)
  10975 Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.7) Gecko/20070914 
Firefox/2.0.0.7
  10217 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) 
Gecko/20070725 Firefox/2.0.0.6
   8542 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.6) Gecko/20061201 
Firefox/2.0.0.6 (Ubuntu-feisty)
   7572 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.7) 
Gecko/20070914 Firefox/2.0.0.7
   6029 Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.7) 
Gecko/20070914 Firefox/2.0.0.7
   5379 Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.7) Gecko/20070914 
Firefox/2.0.0.7
   4885 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20070914 
Firefox/2.0.0.7
   4859 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.7) 
Gecko/20070914 Firefox/2.0.0.7
   4606 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070725 
Firefox/2.0.0.6
   4549 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070919 
Ubuntu/7.10 (gutsy) Firefox/2.0.0.6
   4472 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.7) 
Gecko/20070914 Firefox/2.0.0.7

And thats a quick and very inaccurate way to do it. But it nicely shows
that modifying your UA (or forcing others to do so) does not gain you or
anyone else anything. The only effect you have is to make statistics
more unusable than they already are. Thats not worth to invest the work
this suggestion would need, even if it would only be a simple change. :)


-- 
bye Joerg
>Starting network management services:
>   Warning: -s option is deprecated, use -Lsd instead
Uah. snmpd on drugs.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-22 Thread Eduardo Trápani 

Consider for a moment a typical User-Agent string sent by a Debian web browser:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070802 Iceape/1.1.4 
(Debian-1.1.4-1)


I agree that it is a bit too verbose and it might even be a security 
problem, but reaching consensus on what portions of string to strip off 
is not going to be easy.


Maybe there could be a low priority question when installing the 
browser.  The use of phishing could be there too (another privacy 
problem) for iceweasel.


- choose your user agent: Mozilla/5.0 | Mozilla/5.0 (X11; U; Linux) | ...

- do you want to use Google's based phishing detection?  A list of known 
phishing sites will be downloaded from Google every 30 minutes: yes|no


Anyway, as somebody pointed out already, if no nobody else uses shorter 
user-agents, being *the* user with the "Mozilla/5.0" user-agent might be 
even more identiable than being a Debian user on a platform other than 
i386.  But as time goes by more users will have that kind of user-agent, 
I guess.  I would.


Eduardo


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-22 Thread Roberto C . Sánchez 
On Sat, Sep 22, 2007 at 12:39:25PM -0700, Peter Eckersley wrote:
> On Sat, Sep 22, 2007  at 11:36:41 +0100, Mark Brown wrote:
> > 
> > > This means, in practice, that many sites will be able to track
> > > Debian users by their User-Agent, even if (say) the user is blocking
> > > cookies or limiting them to a single session and is changing IP
> > > address regularly.
> > 
> > I would strongly expect that any user sufficiently concerned about
> > these issues to take active steps like those would be willing to use
> > things like either the user agent configuration availialbe one way or
> > another in most browsers or something like privoxy (possibly in
> > conjunction with tor) which will do the same things and more.
> 
> I think this misunderstands the problem.  Having stronger privacy is
> like an insurance policy: most of the people who end up having needed it
> never knew they were going to need it.  So they weren't going to have
> gone out and installed Privoxy (maybe with Tor) /and/ then examined it
> closely enough to realise that it doesn't alter their User-Agent by
> default, and configured it to masquerade as Firefox on Windows or
> something. 
> 
I have a feeling that you misunderstand the problem.

(Bad analogy time).

If you drive a Ford F-150 pickup truck and remove all the Ford badging
(the oval, the F-150 badge, etc), then does that make you any more
anonymous?  If you drive it around town, No.  You still have the same
license plate.  Your truck is still recognizable as a Ford F-150.
Besides that, the people who are interested in tracking you are able to
track you based on other things as well.

Regards,

-Roberto
-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Re: User-Agent strings, privacy and Debian browsers

2007-09-22 Thread Peter Eckersley 
On Sat, Sep 22, 2007  at 11:36:41 +0100, Mark Brown wrote:
> 
> > This means, in practice, that many sites will be able to track
> > Debian users by their User-Agent, even if (say) the user is blocking
> > cookies or limiting them to a single session and is changing IP
> > address regularly.
> 
> I would strongly expect that any user sufficiently concerned about
> these issues to take active steps like those would be willing to use
> things like either the user agent configuration availialbe one way or
> another in most browsers or something like privoxy (possibly in
> conjunction with tor) which will do the same things and more.

I think this misunderstands the problem.  Having stronger privacy is
like an insurance policy: most of the people who end up having needed it
never knew they were going to need it.  So they weren't going to have
gone out and installed Privoxy (maybe with Tor) /and/ then examined it
closely enough to realise that it doesn't alter their User-Agent by
default, and configured it to masquerade as Firefox on Windows or
something. 

Which brings us to a separate point: it's no use to have Privoxy
configured to block User-Agent strings, since that means you'll be the
one person with no User-Agent, which gives you an even smaller anonymity
sets than the default debian packages.  Yes, smart users will copy
Firefox on Windows, which works -- so long as there isn't one little
thing about their browser which gives away their platform.  Cos then,
they can be identified as the one guy running Iceweasel masquerading as
Firefox on Windows.  Also, plenty of debian users would have 

It really does help to have larger groups of people whose browsers are
behaving the same way by default.  In the case of Privoxy, this would
mean having all of the default Privoxy distributions (and especially
those that are shipped with Tor) use a single User-Agent.  We were also
planing to send those trivial Privoxy configuration patches, it'd be
great if we could get the community to standardise on "Mozilla/5.0
(Privoxy)" or something.

-- 
Peter Eckersley[EMAIL PROTECTED]
Staff TechnologistTel  +1 415 436 9333 x131
Electronic Frontier FoundationFax  +1 415 436 9993


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-22 Thread Peter Eckersley 
On Sep 22, Marco D'Itri <[EMAIL PROTECTED]> wrote:

> On Sep 22, Peter Eckersley <[EMAIL PROTECTED]> wrote:
> 
> > This means, in practice, that many sites will be able to track
> > Debian users by their User-Agent, even if (say) the user is blocking
> > cookies or limiting them to a single session and is changing IP
> > address regularly.
>
> This is highly debateable. There may be tens or thousands of users of
> the same package visiting a web site.

I've seen reports from very large sites indicating that User-Agent
strings are almost as useful as cookies for tracking their users.

> > Would there be any serious harm in terms of browser debugging?  Are
>
> Yes. For no real gain, it would make debugging harder and make
> statistics much less useful.
>
When do you need statistics about how many Debian users are using which
versions of which browser package?

As for debugging, I agree that there's an issue here, which is why I
asked the question.  But some evidence would be useful... does anyone
know any browser or site bugs that have been solved because the site
operator could see the version of a random visiting Debian browser?

--
Peter Eckersley[EMAIL PROTECTED]
Staff TechnologistTel  +1 415 436 9333 x131
Electronic Frontier FoundationFax  +1 415 436 9993


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-22 Thread Peter Eckersley 
Yes and no.  Although IP addresses are a better tracking mechanism than
User-Agent strings, each of them makes the other more effective.  If you
always browse from one IP, and all the other people at that IP use
Windows, then this doesn't help you.  

But maybe you use open wifi networks, and other Debian users also use
those networks.  Maybe there are other Debian users behind your NAT.
Maybe your friends come over sometimes and they also use Debian.  In
those cases, standardising the User-Agent string increases the size of
your anonymity sets for various activities.

On Sep 21, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:

>
> It would be sort of pointless unless we could find a way to all browse
> from the same IP address.
> 
> Regards,
> 
> -Roberto


-- 
Peter Eckersley[EMAIL PROTECTED]
Staff TechnologistTel  +1 415 436 9333 x131
Electronic Frontier FoundationFax  +1 415 436 9993


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-22 Thread Mark Brown 
On Fri, Sep 21, 2007 at 06:03:05PM -0700, Peter Eckersley wrote:

> This means, in practice, that many sites will be able to track Debian
> users by their User-Agent, even if (say) the user is blocking cookies or
> limiting them to a single session and is changing IP address regularly.

I would strongly expect that any user sufficiently concerned about these
issues to take active steps like those would be willing to use things
like either the user agent configuration availialbe one way or another
in most browsers or something like privoxy (possibly in conjunction with
tor) which will do the same things and more.

> What do people think of picking a single User-Agent string for all
> versions of all of Debian's Gecko-based browsers?

I don't personally think it's worth it.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."


signature.asc
Description: Digital signature

Re: User-Agent strings, privacy and Debian browsers

2007-09-22 Thread Osamu Aoki 
Hi,

I think one technical solution which seems o be good to one person may
not be good one for others.

You must think realistic solution which do not affect others in any
negative way and possibly give more benefits than just solving your own
corner case problem.

On Fri, Sep 21, 2007 at 06:03:05PM -0700, Peter Eckersley wrote:
> Consider for a moment a typical User-Agent string sent by a Debian web 
> browser:
> 
> Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070802 
> Iceape/1.1.4 (Debian-1.1.4-1)
> 
> Unfortunately, the fact that this information identifies a specific
> package and version of that package means that Debian users (already a
> select group) have their browsing identities further distinguished by
> their User-Agent strings.

If you consider this being unfortunate, it must be so for you.
Although I feel different, I understand you care this.

> This means, in practice, that many sites will be able to track Debian
> users by their User-Agent, even if (say) the user is blocking cookies or
> limiting them to a single session and is changing IP address regularly.
> 
> What do people think of picking a single User-Agent string for all
> versions of all of Debian's Gecko-based browsers?

Why you force your own needs to others who do not need this feature?
You may be the only Debian user in the IP range, then your risk exposure
in your sense is still higher.

> Would there be any serious harm in terms of browser debugging?  Are
> there many sites which usefully treat different Gecko browsers
> differently?
> 
> As a far more hypothetical question, what would people think of picking
> a single User-Agent for Gecko-based browsers for a larger set of
> GNU/Linux distributions?  Obviously, there is much more politics there,
> because any distributions that joined would be losing the ability to
> measure their desktop market share by looking at web statistics.

What you need is some kind of optional browser plug-in program which
will let you select User-Agent string. 

I know some web site only accept some OS or browser.  So ability to
masqarade your system will let you access those site pretending to be
different User-Agent/OS :-)  That will have not benefit just security
ultraconcious like you but also have real practical advantage.

> Peter Eckersley[EMAIL PROTECTED]
> Staff TechnologistTel  +1 415 436 9333 x131

Please think about creating such plug-in :-)

(Hmmm... there may already exist such plug-in...)

 http://chrispederick.com/work/user-agent-switcher/

Also there is good list of strings to chose from.

 http://www.testingreflections.com/node/view/5125

There seems to be problem installing to the Debian:
 
http://forums.debian.net/viewtopic.php?p=19231&sid=beb199fd158d6235839dfc0676b9e6cf

Maybe, you can work with maintainer of packages to pre-include this
user-agent-switcher in the Debian distribution since this is GPL2.

Osamu


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: User-Agent strings, privacy and Debian browsers

2007-09-21 Thread Marco d'Itri 
On Sep 22, Peter Eckersley <[EMAIL PROTECTED]> wrote:

> This means, in practice, that many sites will be able to track Debian
> users by their User-Agent, even if (say) the user is blocking cookies or
> limiting them to a single session and is changing IP address regularly.
This is highly debateable. There may be tens or thousands of users of
the same package visiting a web site.

> What do people think of picking a single User-Agent string for all
> versions of all of Debian's Gecko-based browsers?
It's a bad idea. Please do not try to fuck up browsers.

> Would there be any serious harm in terms of browser debugging?  Are
Yes. For no real gain, it would make debugging harder and make
statistics much less useful.

> there many sites which usefully treat different Gecko browsers
> differently?
It's probably a number small enough to not be relevant in any decision.
Using the User-Agent string instead of proper functional testing is
badly broken anyway and is not the reason for User-Agent and similar
headers in other protocols.

> As a far more hypothetical question, what would people think of picking
> a single User-Agent for Gecko-based browsers for a larger set of
> GNU/Linux distributions?
A waste of time for us, but I am sure that you could use it to make some
nice PR to justify your job.

-- 
ciao,
Marco


signature.asc
Description: Digital signature

Re: User-Agent strings, privacy and Debian browsers

2007-09-21 Thread Roberto C . Sánchez 
On Fri, Sep 21, 2007 at 06:03:05PM -0700, Peter Eckersley wrote:
> 
> What do people think of picking a single User-Agent string for all
> versions of all of Debian's Gecko-based browsers?
> 
It would be sort of pointless unless we could find a way to all browse
from the same IP address.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

User-Agent strings, privacy and Debian browsers

2007-09-21 Thread Peter Eckersley 
Consider for a moment a typical User-Agent string sent by a Debian web browser:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070802 Iceape/1.1.4 
(Debian-1.1.4-1)

Unfortunately, the fact that this information identifies a specific
package and version of that package means that Debian users (already a
select group) have their browsing identities further distinguished by
their User-Agent strings.

This means, in practice, that many sites will be able to track Debian
users by their User-Agent, even if (say) the user is blocking cookies or
limiting them to a single session and is changing IP address regularly.

What do people think of picking a single User-Agent string for all
versions of all of Debian's Gecko-based browsers?

Would there be any serious harm in terms of browser debugging?  Are
there many sites which usefully treat different Gecko browsers
differently?

As a far more hypothetical question, what would people think of picking
a single User-Agent for Gecko-based browsers for a larger set of
GNU/Linux distributions?  Obviously, there is much more politics there,
because any distributions that joined would be losing the ability to
measure their desktop market share by looking at web statistics.

-- 
Peter Eckersley[EMAIL PROTECTED]
Staff TechnologistTel  +1 415 436 9333 x131
Electronic Frontier FoundationFax  +1 415 436 9993


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]