Author: Jacob Appelbaum Date: To: The Tails public development discussion list Subject: Re: [Tails-dev] user-agent analysis and suggestions: hooray!
On 6/24/14, Daniel Kahn Gillmor <dkg@???> wrote: > On 06/24/2014 06:56 AM, Jacob Appelbaum wrote:
> [snip interesting discussion of user-agents for human-driven HTTP clients]
>
>> As for the system itself - I looked at `apt-get update` and found the
>> following user agent during a fetch:
>>
>> GET /debian-backports/dists/squeeze-backports/Release.gpg HTTP/1.1
>> Host: backports.debian.org
>> Cache-Control: max-age=0
>> User-Agent: Debian APT-HTTP/1.3 (0.8.10.3)
>> Connection: keep-alive
>>
>> That seems like it is worth masking as well, especially since it runs
>> as root!
>
> While i doubt that changing the User-Agent here will concretely hurt
> anything, an adversary who can observe the HTTP request for
> squeeze-backports/Release.gpg (and the associated Release, Packages, etc
> -- a very distinct traffic pattern) will able to guess with very high
> certainty what version of APT is making the connections in the first place.
>
I wonder if that is true? I guess it might be true with enough
observations. Wouldn't it be a possible release in a set amongst all
the fetched releases? That is - I might run a newer version of
`apt-get` and access older repositories, no? Seems like a wide variety
of versions are possibly accessing that those mirrors.
Leaking the version settles any speculation, of course.