Heya, On 6/23/14, intrigeri <[email protected]> wrote: > Hi, > > Jacob Appelbaum wrote (22 Jun 2014 16:16:17 GMT) : >> On 6/22/14, intrigeri <[email protected]> wrote: >>> On the other hand, the fingerprint of curl probably differs in many >>> other ways. So, for an attacker that looks at it more closely, a curl >>> HTTP client pretending to be Firefox is part of a very small >>> anonymity set. > >> We should fix the issues we discover and as we learn more, we should >> evaluate each change. > > I agree that it would be good if some ideal "we" did this, but I'm > very unsure that Tails can take responsibility for starting what could > very well be a never-ending quest. Anyway, it's hard to know how hard > this mission would be, before we know the answer to: >
I think agreeing on a specific user agent and having a central place to find it makes the job much easier to tackle. In any case, I think setting a few shell aliases would not hurt and if they source a common file for a user agent, it should be straight forward to keep things in sync with perhaps no upstream modifications? For example: wget --user-agent="$useragent" curl --user-agent "$useragent" GET -H "User-Agent:$useragent" >> That said - for a single GET request, we should study the various >> clients on Tails and determine if this hypothesis (easy to >> fingerprint) is correct. > > That would be good to know, indeed. Any taker? > For the discussion at hand, I sniffed my own sessions and saw the following data transmissions. wget: GET /~ioerror/misc/tor-ips.txt HTTP/1.1 Host: people.torproject.org User-Agent: Wget/1.12 (linux-gnu) Accept: */* Connection: keep-alive HTTP/1.1 302 Found Date: Tue, 24 Jun 2014 10:30:13 GMT Server: Apache Location: https://people.torproject.org/~ioerror/misc/tor-ips.txt Vary: Accept-Encoding Content-Length: 310 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://people.torproject.org/~ioerror/misc/tor-ips.txt";>here</a>.</p> <hr> <address>Apache Server at people.torproject.org Port 80</address> </body></html> curl: GET http://people.torproject.org/~ioerror/misc/tor-ips.txt HTTP/1.1 User-Agent: curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 Host: people.torproject.org Accept: */* Proxy-Connection: Keep-Alive HTTP/1.1 302 Found Content-Length: 310 Date: Tue, 24 Jun 2014 10:24:46 GMT Server: Apache Location: https://people.torproject.org/~ioerror/misc/tor-ips.txt Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Connection: keep-alive <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://people.torproject.org/~ioerror/misc/tor-ips.txt";>here</a>.</p> <hr> <address>Apache Server at people.torproject.org Port 80</address> </body></html> GET: GET http://people.torproject.org/~ioerror/misc/tor-ips.txt HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: people.torproject.org User-Agent: lwp-request/5.834 libwww-perl/5.836 HTTP/1.1 302 Found Content-Length: 310 Date: Tue, 24 Jun 2014 10:28:34 GMT Server: Apache Location: https://people.torproject.org/~ioerror/misc/tor-ips.txt Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Connection: close <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://people.torproject.org/~ioerror/misc/tor-ips.txt";>here</a>.</p> <hr> <address>Apache Server at people.torproject.org Port 80</address> </body></html> This is Tor Browser on Tails for the same file but on a different web server: GET /~ioerror/misc/tor-ips.txt HTTP/1.1 Host: perdulce.torproject.org User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive ..........HTTP/1.1 404 Not Found Date: Tue, 24 Jun 2014 10:37:29 GMT Server: Apache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 243 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Here are the same clients with a forged User Agent: wget --user-agent="User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" http://people.torproject.org/~ioerror/misc/tor-ips.txt; shows: GET /~ioerror/misc/tor-ips.txt HTTP/1.1 Host: people.torproject.org User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: */* Connection: keep-alive curl --user-agent "User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" http://people.torproject.org/~ioerror/misc/tor-ips.txt; shows: GET /~ioerror/misc/tor-ips.txt HTTP/1.1 Host: people.torproject.org User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: */* Connection: keep-alive GET -H "User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" http://people.torproject.org/~ioerror/misc/tor-ips.txt; shows: GET /~ioerror/misc/tor-ips.txt HTTP/1.1 Host: people.torproject.org User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 Connection: keep-alive My conclusion is that setting the user agent for curl and wget to match Tor Browser isn't a horrible idea. It even seems like on a single GET request, it would be helpful for privacy and anonymity set reasons. It certainly reduces the version information leakage that is absolutely useful for fingerprinting and exploitation. For `GET` - we might also add -H="Accept: */*" and then all three would be aligned. As for the system itself - I looked at `apt-get update` and found the following user agent during a fetch: GET /debian-backports/dists/squeeze-backports/Release.gpg HTTP/1.1 Host: backports.debian.org Cache-Control: max-age=0 User-Agent: Debian APT-HTTP/1.3 (0.8.10.3) Connection: keep-alive That seems like it is worth masking as well, especially since it runs as root! This can be accomplished by setting Acquire::http::User-Agent in /etc/apt/apt.conf like so: Acquire::http::User-Agent "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"; Once set - it sends requests like the following: GET http://mozilla.debian.net/dists/squeeze-backports/Release.gpg HTTP/1.1 Host: mozilla.debian.net Cache-Control: max-age=0 If-Modified-Since: Wed, 11 Jun 2014 04:37:16 GMT User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 GET http://mozilla.debian.net/dists/squeeze-backports/iceweasel-esr/i18n/Translation-en.bz2 HTTP/1.1 Host: mozilla.debian.net Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 Are there any other clients that I should test? All the best, Jacob _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
