On 6/22/14, intrigeri <[email protected]> wrote: > Hi, > > on the one hand, for an attacker that only looks at the user-agent > header, telling curl to use the same value for it as the Tor Browser > would make it part of a larger anonymity set. >
That is correct. It also has a secondary effect: curl has a crazy user agent that leaks specific version numbers and we can reduce leaking these details. This will make exploitation of curl harder. > On the other hand, the fingerprint of curl probably differs in many > other ways. So, for an attacker that looks at it more closely, a curl > HTTP client pretending to be Firefox is part of a very small > anonymity set. We should fix the issues we discover and as we learn more, we should evaluate each change. I support changing the user agent of curl to be one that is shared with Tor Browser. That said - for a single GET request, we should study the various clients on Tails and determine if this hypothesis (easy to fingerprint) is correct. > > Against which one of these attackers do we want to optimize Tails for? > We should aim for unification of user agents across all clients - not just curl but all user agents of all software in Tails. It is easy to tackle this with Firefox and with Curl. It should also be done with wget, GET, POST, HEAD, /usr/lib/apt/methods/http (apt-get update), and other tools on the system. Each one will have its own set of problems, of course. What is a good way to set the user agent on a system wide basis? Perhaps a string in /etc/useragent that each program can source? That would make maintenance easier. Such a file would set one place to update the User Agent string. ( I think I reported a bug similar to this one with a user that I was training. ) All the best, Jacob _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
