[Tails-dev] user-agent analysis and suggestions: hooray!

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
Subject: [Tails-dev] user-agent analysis and suggestions: hooray!
Heya,

On 6/23/14, intrigeri <intrigeri@???> wrote:
> Hi,
>
> Jacob Appelbaum wrote (22 Jun 2014 16:16:17 GMT) :
>> On 6/22/14, intrigeri <intrigeri@???> wrote:
>>> On the other hand, the fingerprint of curl probably differs in many
>>> other ways. So, for an attacker that looks at it more closely, a curl
>>> HTTP client pretending to be Firefox is part of a very small
>>> anonymity set.
>
>> We should fix the issues we discover and as we learn more, we should
>> evaluate each change.
>
> I agree that it would be good if some ideal "we" did this, but I'm
> very unsure that Tails can take responsibility for starting what could
> very well be a never-ending quest. Anyway, it's hard to know how hard
> this mission would be, before we know the answer to:
>


I think agreeing on a specific user agent and having a central place
to find it makes the job much easier to tackle. In any case, I think
setting a few shell aliases would not hurt and if they source a common
file for a user agent, it should be straight forward to keep things in
sync with perhaps no upstream modifications?

For example:

wget --user-agent="$useragent"
curl --user-agent "$useragent"
GET -H "User-Agent:$useragent"

>> That said - for a single GET request, we should study the various
>> clients on Tails and determine if this hypothesis (easy to
>> fingerprint) is correct.
>
> That would be good to know, indeed. Any taker?
>


For the discussion at hand, I sniffed my own sessions and saw the
following data transmissions.

wget:

GET /~ioerror/misc/tor-ips.txt HTTP/1.1
Host: people.torproject.org
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Connection: keep-alive

HTTP/1.1 302 Found
Date: Tue, 24 Jun 2014 10:30:13 GMT
Server: Apache
Location: https://people.torproject.org/~ioerror/misc/tor-ips.txt
Vary: Accept-Encoding
Content-Length: 310
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="https://people.torproject.org/~ioerror/misc/tor-ips.txt">here</a>.</p>
<hr>
<address>Apache Server at people.torproject.org Port 80</address>
</body></html>

curl:

GET http://people.torproject.org/~ioerror/misc/tor-ips.txt HTTP/1.1
User-Agent: curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0
OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
Host: people.torproject.org
Accept: */*
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found
Content-Length: 310
Date: Tue, 24 Jun 2014 10:24:46 GMT
Server: Apache
Location: https://people.torproject.org/~ioerror/misc/tor-ips.txt
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="https://people.torproject.org/~ioerror/misc/tor-ips.txt">here</a>.</p>
<hr>
<address>Apache Server at people.torproject.org Port 80</address>
</body></html>

GET:

GET http://people.torproject.org/~ioerror/misc/tor-ips.txt HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: people.torproject.org
User-Agent: lwp-request/5.834 libwww-perl/5.836

HTTP/1.1 302 Found
Content-Length: 310
Date: Tue, 24 Jun 2014 10:28:34 GMT
Server: Apache
Location: https://people.torproject.org/~ioerror/misc/tor-ips.txt
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a
href="https://people.torproject.org/~ioerror/misc/tor-ips.txt">here</a>.</p>
<hr>
<address>Apache Server at people.torproject.org Port 80</address>
</body></html>

This is Tor Browser on Tails for the same file but on a different web server:

GET /~ioerror/misc/tor-ips.txt HTTP/1.1
Host: perdulce.torproject.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

..........HTTP/1.1 404 Not Found
Date: Tue, 24 Jun 2014 10:37:29 GMT
Server: Apache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 243
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Here are the same clients with a forged User Agent:

wget --user-agent="User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0)
Gecko/20100101 Firefox/24.0"
http://people.torproject.org/~ioerror/misc/tor-ips.txt; shows:

GET /~ioerror/misc/tor-ips.txt HTTP/1.1
Host: people.torproject.org
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0)
Gecko/20100101 Firefox/24.0
Accept: */*
Connection: keep-alive

curl --user-agent "User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0)
Gecko/20100101 Firefox/24.0"
http://people.torproject.org/~ioerror/misc/tor-ips.txt; shows:

GET /~ioerror/misc/tor-ips.txt HTTP/1.1
Host: people.torproject.org
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0)
Gecko/20100101 Firefox/24.0
Accept: */*
Connection: keep-alive

GET -H "User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:24.0)
Gecko/20100101 Firefox/24.0"
http://people.torproject.org/~ioerror/misc/tor-ips.txt; shows:

GET /~ioerror/misc/tor-ips.txt HTTP/1.1
Host: people.torproject.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Connection: keep-alive

My conclusion is that setting the user agent for curl and wget to
match Tor Browser isn't a horrible idea. It even seems like on a
single GET request, it would be helpful for privacy and anonymity set
reasons. It certainly reduces the version information leakage that is
absolutely useful for fingerprinting and exploitation. For `GET` - we
might also add -H="Accept: */*" and then all three would be aligned.

As for the system itself - I looked at `apt-get update` and found the
following user agent during a fetch:

GET /debian-backports/dists/squeeze-backports/Release.gpg HTTP/1.1
Host: backports.debian.org
Cache-Control: max-age=0
User-Agent: Debian APT-HTTP/1.3 (0.8.10.3)
Connection: keep-alive

That seems like it is worth masking as well, especially since it runs
as root! This can be accomplished by setting Acquire::http::User-Agent
in /etc/apt/apt.conf like so:

Acquire::http::User-Agent "Mozilla/5.0 (Windows NT 6.1; rv:24.0)
Gecko/20100101 Firefox/24.0";

Once set - it sends requests like the following:

GET http://mozilla.debian.net/dists/squeeze-backports/Release.gpg HTTP/1.1
Host: mozilla.debian.net
Cache-Control: max-age=0
If-Modified-Since: Wed, 11 Jun 2014 04:37:16 GMT
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

GET http://mozilla.debian.net/dists/squeeze-backports/iceweasel-esr/i18n/Translation-en.bz2
HTTP/1.1
Host: mozilla.debian.net
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

Are there any other clients that I should test?

All the best,
Jacob