Re: [Tails-dev] Setting curl's user-agent to the same as Tor…

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Setting curl's user-agent to the same as Tor Browser?
On 6/22/14, intrigeri <intrigeri@???> wrote:
> Hi,
>
> on the one hand, for an attacker that only looks at the user-agent
> header, telling curl to use the same value for it as the Tor Browser
> would make it part of a larger anonymity set.
>


That is correct. It also has a secondary effect: curl has a crazy user
agent that leaks specific version numbers and we can reduce leaking
these details. This will make exploitation of curl harder.

> On the other hand, the fingerprint of curl probably differs in many
> other ways. So, for an attacker that looks at it more closely, a curl
> HTTP client pretending to be Firefox is part of a very small
> anonymity set.


We should fix the issues we discover and as we learn more, we should
evaluate each change. I support changing the user agent of curl to be
one that is shared with Tor Browser.

That said - for a single GET request, we should study the various
clients on Tails and determine if this hypothesis (easy to
fingerprint) is correct.

>
> Against which one of these attackers do we want to optimize Tails for?
>


We should aim for unification of user agents across all clients - not
just curl but all user agents of all software in Tails. It is easy to
tackle this with Firefox and with Curl. It should also be done with
wget, GET, POST, HEAD, /usr/lib/apt/methods/http (apt-get update), and
other tools on the system. Each one will have its own set of problems,
of course.

What is a good way to set the user agent on a system wide basis?
Perhaps a string in /etc/useragent that each program can source? That
would make maintenance easier. Such a file would set one place to
update the User Agent string.

( I think I reported a bug similar to this one with a user that I was
training. )

All the best,
Jacob