On 06/22/2014 11:32 AM, intrigeri wrote: > Hi, > > on the one hand, for an attacker that only looks at the user-agent > header, telling curl to use the same value for it as the Tor Browser > would make it part of a larger anonymity set. > > On the other hand, the fingerprint of curl probably differs in many > other ways. So, for an attacker that looks at it more closely, a curl > HTTP client pretending to be Firefox is part of a very small > anonymity set. > > Against which one of these attackers do we want to optimize Tails for? I don't think that tweaking curl is a good idea:
- Making it looking like Firefox for HTTPS won't be an easy task, since there is a lot of black-magic involved here. - Against an active attacker, I'm quite sure that she'll find an oracle anyway. - A passive attacker on HTTP can most of the time becoming an active one. So, the only case where this could be useful is clear-text http, which you shouldn't use over Tor anyway. _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
