Re: [Tails-dev] Faking htpdate user agent worth it?
anonym: > intrigeri: >> So I hereby propose we stop tweaking the HTTP User-Agent sent >> by htpdate. > I agree. https://labs.riseup.net/code/issues/12023 ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Faking htpdate user agent worth it?
intrigeri: > So I hereby propose we stop tweaking the HTTP User-Agent sent > by htpdate. I agree. Cheers! ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Faking htpdate user agent worth it?
Hi, intrigeri (4 years ago): > anonym wrote (15 Oct 2012 13:14:24 GMT) : >> OTOH it becomes easier to fingerprint Tails users on their side of >> the pipe, which arguably is worse. Three *full* fetches of known web >> sites are *much* more distinguishable than three header fetches of >> known web sites, so Tails' startup traffic flow then becomes >> a distinctive pattern to look for. Think "Bayesian classifiers" >> which was all the rage a year or two ago. > In case it was not clear: what is proposed is a GET of the page only, > not going back to "wget --mirror" and fetch the page and all related > resources. > Web browsing recognition based on known traffic patterns I've read > about was based on page + resources fetches, which provide quite more > room traffic/time data to work on. > How well would this class of attacks do with a HTML page fetch or > three? (Not a rhetorical question :) I'm dropping this idea, and closed #5924 as rejected. But I'd like to go back to adrelanos' initial point, from which we have derailed at some point, by trying to fix in a different way (looking even more like Tor Browser) the problem he was raising. tl;dr: assuming that Tor Browser basically never issues HTTP HEAD requests, our current usage of htpdate, that pretends being Tor Browser, makes it stand out of other users of curl over Tor. So I hereby propose we stop tweaking the HTTP User-Agent sent by htpdate. Cheers! -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Faking htpdate user agent worth it?
hi, adrelanos wrote (01 Dec 2012 15:53:06 GMT) : > Using Tor Browser through command line to view and safe the website. > This should perfectly emulate Tor Browser. Any idea how Firefox could be > interfaced? As far I know it has no command line option for this. I guess Selenium should allow to do so. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Hi! Some new thoughts... Using Tor Browser through command line to view and safe the website. This should perfectly emulate Tor Browser. Any idea how Firefox could be interfaced? As far I know it has no command line option for this. If an interface to Firefox is a too difficult... What other browsers have a common fingerprint, a command line interface and are already frequently used over Tor? Some android browsers perhaps? Which do also run in Debian? Cheers, adrelanos ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
adrelanos: > intrigeri: >>> This page reads "fingerprinting based on the known traffic pattern >>> when fetching the full page of any of the members of Tails' HTP source >>> pools is not possible"; I've always understood, in this sentence, "the >>> full page" as meaning "the page + all external resources it requires". >> >> Ping? > >>From my tests with wget it never downloaded external resources. Remembering now... Was the same with wget. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
intrigeri: >> This page reads "fingerprinting based on the known traffic pattern >> when fetching the full page of any of the members of Tails' HTP source >> pools is not possible"; I've always understood, in this sentence, "the >> full page" as meaning "the page + all external resources it requires". > > Ping? >From my tests with wget it never downloaded external resources. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Hi, (Let's get rid of this old stalled discussion and free some mental space of ours.) intrigeri wrote (21 Oct 2012 08:57:55 GMT) : > anonym wrote (15 Oct 2012 13:14:24 GMT) : >> OTOH it becomes easier to fingerprint Tails users on their side of >> the pipe, which arguably is worse. Three *full* fetches of known web >> sites are *much* more distinguishable than three header fetches of >> known web sites, so Tails' startup traffic flow then becomes >> a distinctive pattern to look for. Think "Bayesian classifiers" >> which was all the rage a year or two ago. > In case it was not clear: what is proposed is a GET of the page only, > not going back to "wget --mirror" and fetch the page and all related > resources. > Web browsing recognition based on known traffic patterns I've read > about was based on page + resources fetches, which provide quite more > room traffic/time data to work on. > How well would this class of attacks do with a HTML page fetch or > three? (Not a rhetorical question :) >> The fact that Tails' current htpdate should be (relatively) safe from >> fingerprinting since it only fetches headers is already documented here: >> contribute/design/Time_syncing/#index5h1. > This page reads "fingerprinting based on the known traffic pattern > when fetching the full page of any of the members of Tails' HTP source > pools is not possible"; I've always understood, in this sentence, "the > full page" as meaning "the page + all external resources it requires". Ping? Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Hi, anonym wrote (15 Oct 2012 13:14:24 GMT) : > OTOH it becomes easier to fingerprint Tails users on their side of > the pipe, which arguably is worse. Three *full* fetches of known web > sites are *much* more distinguishable than three header fetches of > known web sites, so Tails' startup traffic flow then becomes > a distinctive pattern to look for. Think "Bayesian classifiers" > which was all the rage a year or two ago. In case it was not clear: what is proposed is a GET of the page only, not going back to "wget --mirror" and fetch the page and all related resources. Web browsing recognition based on known traffic patterns I've read about was based on page + resources fetches, which provide quite more room traffic/time data to work on. How well would this class of attacks do with a HTML page fetch or three? (Not a rhetorical question :) > The fact that Tails' current htpdate should be (relatively) safe from > fingerprinting since it only fetches headers is already documented here: > contribute/design/Time_syncing/#index5h1. This page reads "fingerprinting based on the known traffic pattern when fetching the full page of any of the members of Tails' HTP source pools is not possible"; I've always understood, in this sentence, "the full page" as meaning "the page + all external resources it requires". Cheers! -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
14/10/12 14:28, intrigeri wrote: > Hi, > > Ague Mill wrote (01 Oct 2012 09:27:09 GMT) : >> I think the overhead of not using '--head' and doing a full GET >> would be marginal. It would make it at least a little bit harder to >> distinguish from other requests. > > Fully agreed: this would make Tails' htpdate harder to distinguish > from the TBB at the level of a single request / access.log line, > and only stand out in aggregate. OTOH it becomes easier to fingerprint Tails users on their side of the pipe, which arguably is worse. Three *full* fetches of known web sites are *much* more distinguishable than three header fetches of known web sites, so Tails' startup traffic flow then becomes a distinctive pattern to look for. Think "Bayesian classifiers" which was all the rage a year or two ago. The fact that Tails' current htpdate should be (relatively) safe from fingerprinting since it only fetches headers is already documented here: contribute/design/Time_syncing/#index5h1. Slightly off-topic: Reading the above design doc made me thinking about how recent changes in Tails may have affected it. Since the introduction of stream isolation (Tails 0.14~rc1), htpdate (and other Tails-specific applications) uses a SocksPort with IsolateDestAddr, so no circuit sharing occur between fetches. Will this make htpdate fingerprinting even easier when combined with full fetches? * *Without* circuit sharing I imagine that the eavesdropper only has to measure the traffic flow of a full fetche for each individual pool member and store this infor for future comparisions (when an IP address shows three of these flows, it's a Tails user with large probability). * *With* circuit sharing the eavesdropper would need to measure the traffic flow of fetching all combinations of three pool members instead. Hmm. On second thought I suppose it's easy to take the individual measurements from the previous point and create all combinations of three from them... Well, I don't feel convinced by my own argument for stream isolation being an issue for htpdate + full fetches, but let me just throw this thought out there for others to ponder upon to be sure. However, I do get the impression that stream isolation => loss of circuit sharing may make htpdate easier to fingerprint in general. Full fetch or not, each boot resulting in three different circuits being used simultaneously seem more distinguishable than each boot resulting in just a single circuit being used. OTOH, I'm a bit unsure whether Tor guarantees that simultaneous fetches must share the same circuit when stream isolation isn't used. If there's no such guarantee, then we obviously shouldn't base our assumptions on it. Cheers! ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Hi, Ague Mill wrote (01 Oct 2012 09:27:09 GMT) : > I think the overhead of not using '--head' and doing a full GET > would be marginal. It would make it at least a little bit harder to > distinguish from other requests. Fully agreed: this would make Tails' htpdate harder to distinguish from the TBB at the level of a single request / access.log line, and only stand out in aggregate. I created todo/have_htpdate_send_GET_instead_of_HEAD, tagged todo/discuss until we reach consensus here. Once this part is sorted out, both "looking more like Torbrowser at the level of a single request" (by constructing the request by hand) and "looking more like Torbrowser in aggregate" would probably be nice to have too (maintainable patches welcome!), but quite low priority IMHO in our current roadmap: https://tails.boum.org/contribute/roadmap/ Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
My first post! Speaking of the Appelbaum, check out this time daemon he wrote: https://github.com/ioerror/tlsdate It's not in debian repos, which is a strike against using it for tails. But leaking DNS is pretty bad. --D On 10/3/12 2:47 PM, intrigeri wrote: > Hi, > > Jacob Appelbaum wrote (01 Oct 2012 01:09:48 GMT): > [ about curl ] >> In some testing we did, we found that it leaked DNS basically >> everywhere unless you used some kind of HTTP proxy. :( > I'm curious what version of curl exposes that, and: > > * Does curl's socks5h:// acts like socks5:// ? > (if using --proxy with a recent enough curl) > > and/or > > * Does this happen with the old-style options? > (--socks5-hostname vs. --socks5) > ___ > tails-dev mailing list > tails-dev@boum.org > https://mailman.boum.org/listinfo/tails-dev ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Hi, Jacob Appelbaum wrote (01 Oct 2012 01:09:48 GMT): [ about curl ] > In some testing we did, we found that it leaked DNS basically > everywhere unless you used some kind of HTTP proxy. :( I'm curious what version of curl exposes that, and: * Does curl's socks5h:// acts like socks5:// ? (if using --proxy with a recent enough curl) and/or * Does this happen with the old-style options? (--socks5-hostname vs. --socks5) ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
adrelanos: > Jacob Appelbaum: >> adrelanos: > Thus my suggestions: > - Keep only header. Safe users traffic, Tor's traffic and website traffic. > - Drop the user agent setting, it only gives a false sense of being in > the same anonymity set as Tor Button. That is not the goal - the point is that you will say, drop that and no one else will do so - so you will entirely stick out. >>> >>> Well, don't drop it individually or right away. Drop it in a new release. >>> >> >> And I am saying - TBB won't drop their user agent. So you won't look >> like them - you will look like you. > > What TBB does is not important for this case. You will look like wget, > so or so. See below. It is important to look like TBB or another case - if you use TBB to fetch a single item - lets say an image like a favicon - I'd probably want to match the headers it sends. Per request. > > > [1] Not exactly impossible. The curl devs would have to change too much, > extremely unlikely. I don't use curl with tlsdate. >>> >>> Replace curl with a placeholder for any command line downloader. >>> >> >> I think you are confused. > > I don't want to deny the possibility. > >> If I send a GET request with all the headers >> sent by say, Tor Browser, that *single* GET request should look >> identical. That is my goal. > > A honorable goal. > > I made a quick test with Wireshare visiting cnn.com as an example. With > Tor Browser I had the page open for 1 minute. It connects to at least 6 > different IPs (just saying no criticism), downloads (temporary to show > in browser) lots of pictures. The log grows much faster. > > Then I issued "wget cnn.com". It only connects to two IPs (1 > redirection). The log is much smaller. Wget does not fetch pictures. > wget -m would but that is rather beside the point, I think. > It's trivial for the website owner, if he wants to, to find out if his > website gets visited with Tor Browser by a real user or if it gets > downloaded with a tool like wget. > Not really. It is *possible* if someone using TBB to explicitly visit a single page or fetch a single resource. > If you use wget, you look like wget, no matter which user agent you > choose. So what's the point for Tails to add extra identifying bits? > (curl + Tor Button user agent) > The point is that not every single request needs to stand out - in aggregate, yes, some people may look differently. I'd rather stand out only in aggregate. > I think the the user agent switcher feature of command line downloaders > is not supposed to be a privacy feature. They probable added it to fetch > different versions of sites, one for firefox, one for mobile phones and > so on. This does not apply here, since you just want the header for the > time. I think you're confused still - a single GET request can be constructed without the use of a library or another program. All the best, Jacob ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Jacob Appelbaum: > adrelanos: Thus my suggestions: - Keep only header. Safe users traffic, Tor's traffic and website traffic. - Drop the user agent setting, it only gives a false sense of being in the same anonymity set as Tor Button. >>> >>> That is not the goal - the point is that you will say, drop that and no >>> one else will do so - so you will entirely stick out. >> >> Well, don't drop it individually or right away. Drop it in a new release. >> > > And I am saying - TBB won't drop their user agent. So you won't look > like them - you will look like you. What TBB does is not important for this case. You will look like wget, so or so. See below. [1] Not exactly impossible. The curl devs would have to change too much, extremely unlikely. >>> >>> I don't use curl with tlsdate. >> >> Replace curl with a placeholder for any command line downloader. >> > > I think you are confused. I don't want to deny the possibility. > If I send a GET request with all the headers > sent by say, Tor Browser, that *single* GET request should look > identical. That is my goal. A honorable goal. I made a quick test with Wireshare visiting cnn.com as an example. With Tor Browser I had the page open for 1 minute. It connects to at least 6 different IPs (just saying no criticism), downloads (temporary to show in browser) lots of pictures. The log grows much faster. Then I issued "wget cnn.com". It only connects to two IPs (1 redirection). The log is much smaller. Wget does not fetch pictures. It's trivial for the website owner, if he wants to, to find out if his website gets visited with Tor Browser by a real user or if it gets downloaded with a tool like wget. If you use wget, you look like wget, no matter which user agent you choose. So what's the point for Tails to add extra identifying bits? (curl + Tor Button user agent) I think the the user agent switcher feature of command line downloaders is not supposed to be a privacy feature. They probable added it to fetch different versions of sites, one for firefox, one for mobile phones and so on. This does not apply here, since you just want the header for the time. Cheers, adrelanos ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
adrelanos: >>> Thus my suggestions: >>> - Keep only header. Safe users traffic, Tor's traffic and website traffic. >>> - Drop the user agent setting, it only gives a false sense of being in >>> the same anonymity set as Tor Button. >> >> That is not the goal - the point is that you will say, drop that and no >> one else will do so - so you will entirely stick out. > > Well, don't drop it individually or right away. Drop it in a new release. > And I am saying - TBB won't drop their user agent. So you won't look like them - you will look like you. >>> >>> [1] Not exactly impossible. The curl devs would have to change too much, >>> extremely unlikely. >> >> I don't use curl with tlsdate. > > Replace curl with a placeholder for any command line downloader. > I think you are confused. If I send a GET request with all the headers sent by say, Tor Browser, that *single* GET request should look identical. That is my goal. All the best, Jacob ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Jacob Appelbaum: > adrelanos: >> Jacob Appelbaum: >>> intrigeri: Hi, adrelanos wrote (30 Sep 2012 22:25:31 GMT) : > I am wondering about this line in /etc/default/htpdate: > HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)" FTR, this is left from the times when htpdate did run wget in the clear (without going through Tor). > Since you are also using curl and only download the header, does > faking the Tor Button user agent provide any additional benefit? > Couldn't the server quite easily distinguish from real Tor Button > users and tails_htp curl users? It may be worse than what you are suggesting. If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests, then we should probably not pretend to be Torbutton. Does it? >>> >>> The more software that pretends to be TorButton - the better, I think. >> >> As a political statement? > > No. As a feature for feature match - it is true that there are other > protocol distinguishers and ... so what? > >> >> >From technical view it's impossible [1] to imitate Tor Button with curl. >> The user agent is just one bit, there are loads of other bits to find >> out if someone is actually running Tor Browser and curl. >> > > I don't care about curl at all. Same goes for all command line downloader. >> Just download for testing cnn.com with curl and look how much traffic >> has been transfered and how quick it goes, even if fetching the whole >> page, not just the header. Then watch the same thing in Tor Browser. It >> fetches loads of pictures and also connects to doubleclick and other >> third party sites. > > Indeed. > >> >> Thus my suggestions: >> - Keep only header. Safe users traffic, Tor's traffic and website traffic. >> - Drop the user agent setting, it only gives a false sense of being in >> the same anonymity set as Tor Button. > > That is not the goal - the point is that you will say, drop that and no > one else will do so - so you will entirely stick out. Well, don't drop it individually or right away. Drop it in a new release. >> >> [1] Not exactly impossible. The curl devs would have to change too much, >> extremely unlikely. > > I don't use curl with tlsdate. Replace curl with a placeholder for any command line downloader. > All the best, > Jacob > > ___ > tails-dev mailing list > tails-dev@boum.org > https://mailman.boum.org/listinfo/tails-dev > ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
adrelanos: > Jacob Appelbaum: >> intrigeri: >>> Hi, >>> >>> adrelanos wrote (30 Sep 2012 22:25:31 GMT) : I am wondering about this line in /etc/default/htpdate: HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)" >>> >>> FTR, this is left from the times when htpdate did run wget in the >>> clear (without going through Tor). >>> Since you are also using curl and only download the header, does faking the Tor Button user agent provide any additional benefit? Couldn't the server quite easily distinguish from real Tor Button users and tails_htp curl users? >>> >>> It may be worse than what you are suggesting. >>> >>> If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests, >>> then we should probably not pretend to be Torbutton. Does it? >> >> The more software that pretends to be TorButton - the better, I think. > > As a political statement? No. As a feature for feature match - it is true that there are other protocol distinguishers and ... so what? > >>From technical view it's impossible [1] to imitate Tor Button with curl. > The user agent is just one bit, there are loads of other bits to find > out if someone is actually running Tor Browser and curl. > I don't care about curl at all. > Just download for testing cnn.com with curl and look how much traffic > has been transfered and how quick it goes, even if fetching the whole > page, not just the header. Then watch the same thing in Tor Browser. It > fetches loads of pictures and also connects to doubleclick and other > third party sites. Indeed. > > Thus my suggestions: > - Keep only header. Safe users traffic, Tor's traffic and website traffic. > - Drop the user agent setting, it only gives a false sense of being in > the same anonymity set as Tor Button. That is not the goal - the point is that you will say, drop that and no one else will do so - so you will entirely stick out. > > [1] Not exactly impossible. The curl devs would have to change too much, > extremely unlikely. I don't use curl with tlsdate. All the best, Jacob ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Jacob Appelbaum: > intrigeri: >> Hi, >> >> adrelanos wrote (30 Sep 2012 22:25:31 GMT) : >>> I am wondering about this line in /etc/default/htpdate: >>> HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)" >> >> FTR, this is left from the times when htpdate did run wget in the >> clear (without going through Tor). >> >>> Since you are also using curl and only download the header, does >>> faking the Tor Button user agent provide any additional benefit? >>> Couldn't the server quite easily distinguish from real Tor Button >>> users and tails_htp curl users? >> >> It may be worse than what you are suggesting. >> >> If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests, >> then we should probably not pretend to be Torbutton. Does it? > > The more software that pretends to be TorButton - the better, I think. As a political statement? >From technical view it's impossible [1] to imitate Tor Button with curl. The user agent is just one bit, there are loads of other bits to find out if someone is actually running Tor Browser and curl. Just download for testing cnn.com with curl and look how much traffic has been transfered and how quick it goes, even if fetching the whole page, not just the header. Then watch the same thing in Tor Browser. It fetches loads of pictures and also connects to doubleclick and other third party sites. Thus my suggestions: - Keep only header. Safe users traffic, Tor's traffic and website traffic. - Drop the user agent setting, it only gives a false sense of being in the same anonymity set as Tor Button. [1] Not exactly impossible. The curl devs would have to change too much, extremely unlikely. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
On Mon, Oct 01, 2012 at 07:18:00AM +0200, intrigeri wrote: > > Since you are also using curl and only download the header, does > > faking the Tor Button user agent provide any additional benefit? > > Couldn't the server quite easily distinguish from real Tor Button > > users and tails_htp curl users? > > It may be worse than what you are suggesting. > > If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests, > then we should probably not pretend to be Torbutton. Does it? I think the overhead of not using '--head' and doing a full GET would be marginal. It would make it at least a little bit harder to distinguish from other requests. -- Ague pgp9rOIWyQjYl.pgp Description: PGP signature ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
intrigeri: > Hi, > > adrelanos wrote (30 Sep 2012 22:25:31 GMT) : >> I am wondering about this line in /etc/default/htpdate: >> HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)" > > FTR, this is left from the times when htpdate did run wget in the > clear (without going through Tor). > >> Since you are also using curl and only download the header, does >> faking the Tor Button user agent provide any additional benefit? >> Couldn't the server quite easily distinguish from real Tor Button >> users and tails_htp curl users? > > It may be worse than what you are suggesting. > > If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests, > then we should probably not pretend to be Torbutton. Does it? The more software that pretends to be TorButton - the better, I think. All the best, Jacob ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Hi, adrelanos wrote (30 Sep 2012 22:25:31 GMT) : > I am wondering about this line in /etc/default/htpdate: > HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)" FTR, this is left from the times when htpdate did run wget in the clear (without going through Tor). > Since you are also using curl and only download the header, does > faking the Tor Button user agent provide any additional benefit? > Couldn't the server quite easily distinguish from real Tor Button > users and tails_htp curl users? It may be worse than what you are suggesting. If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests, then we should probably not pretend to be Torbutton. Does it? ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
adrelanos: > Jacob Appelbaum: >> I'd be interested in using the same headers for tlsdate - so whatever >> you guys end up using - lets try to make them look similar? > > curl is already a good choice. Supports socks proxy settings, ssl > certificate pinning, strict https, tlsv1, only header... > I have mixed feelings - namely - I think their SOCKS proxy support seems to really not be fantastic. In some testing we did, we found that it leaked DNS basically everywhere unless you used some kind of HTTP proxy. :( > That everyone uses the same is good idea. > I want to behave similarly without promoting a monoculture. > I am just not sure if the "phrasing Tor Button's latest user agent" is > worth the extra effort. I think using a common user agent is a fine idea. I would also want to ensure that all of the headers sent are also documented and that tlsdate sends the same headers. All the best, Jacob ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
Jacob Appelbaum: > I'd be interested in using the same headers for tlsdate - so whatever > you guys end up using - lets try to make them look similar? curl is already a good choice. Supports socks proxy settings, ssl certificate pinning, strict https, tlsv1, only header... That everyone uses the same is good idea. I am just not sure if the "phrasing Tor Button's latest user agent" is worth the extra effort. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Faking htpdate user agent worth it?
adrelanos: > Hello, > > I am wondering about this line in /etc/default/htpdate: > HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)" > > Since you are also using curl and only download the header, does faking > the Tor Button user agent provide any additional benefit? Couldn't the > server quite easily distinguish from real Tor Button users and tails_htp > curl users? > > Even if you were not telling curl to only download the header. If you > were still downloading the whole site. Would that actually add any > additional benefit? > > Haven't found this in the design. Please explain. > I'd be interested in using the same headers for tlsdate - so whatever you guys end up using - lets try to make them look similar? All the best, Jacob ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
[Tails-dev] Faking htpdate user agent worth it?
Hello, I am wondering about this line in /etc/default/htpdate: HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)" Since you are also using curl and only download the header, does faking the Tor Button user agent provide any additional benefit? Couldn't the server quite easily distinguish from real Tor Button users and tails_htp curl users? Even if you were not telling curl to only download the header. If you were still downloading the whole site. Would that actually add any additional benefit? Haven't found this in the design. Please explain. Cheers, adrelanos ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev