Jacob Appelbaum: > adrelanos: >> Jacob Appelbaum: >>> intrigeri: >>>> Hi, >>>> >>>> adrelanos wrote (30 Sep 2012 22:25:31 GMT) : >>>>> I am wondering about this line in /etc/default/htpdate: >>>>> HTTP_USER_AGENT="$(/usr/local/bin/getTorbuttonUserAgent)" >>>> >>>> FTR, this is left from the times when htpdate did run wget in the >>>> clear (without going through Tor). >>>> >>>>> Since you are also using curl and only download the header, does >>>>> faking the Tor Button user agent provide any additional benefit? >>>>> Couldn't the server quite easily distinguish from real Tor Button >>>>> users and tails_htp curl users? >>>> >>>> It may be worse than what you are suggesting. >>>> >>>> If iceweasel + Torbutton rarely, if ever, sends HTTP HEAD requests, >>>> then we should probably not pretend to be Torbutton. Does it? >>> >>> The more software that pretends to be TorButton - the better, I think. >> >> As a political statement? > > No. As a feature for feature match - it is true that there are other > protocol distinguishers and ... so what? > >> >> >From technical view it's impossible [1] to imitate Tor Button with curl. >> The user agent is just one bit, there are loads of other bits to find >> out if someone is actually running Tor Browser and curl. >> > > I don't care about curl at all.
Same goes for all command line downloader. >> Just download for testing cnn.com with curl and look how much traffic >> has been transfered and how quick it goes, even if fetching the whole >> page, not just the header. Then watch the same thing in Tor Browser. It >> fetches loads of pictures and also connects to doubleclick and other >> third party sites. > > Indeed. > >> >> Thus my suggestions: >> - Keep only header. Safe users traffic, Tor's traffic and website traffic. >> - Drop the user agent setting, it only gives a false sense of being in >> the same anonymity set as Tor Button. > > That is not the goal - the point is that you will say, drop that and no > one else will do so - so you will entirely stick out. Well, don't drop it individually or right away. Drop it in a new release. >> >> [1] Not exactly impossible. The curl devs would have to change too much, >> extremely unlikely. > > I don't use curl with tlsdate. Replace curl with a placeholder for any command line downloader. > All the best, > Jacob > > _______________________________________________ > tails-dev mailing list > [email protected] > https://mailman.boum.org/listinfo/tails-dev > _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev
