Hi Oliver: Am 25.01.14 22:26 schrieb(en) Oliver Eichler:
I am really amazed how everyone is so enthusiastic to provide informaton that is of no concern of the one requesting it. I thought after the Snowden disaster people start to think twice on how much details have to be supplied.
I fully agree with the approach to limit leaking unnecessary information as far as possible. However, to be honest, I do not fully understand which security/privacy implications sending the user agent might have. IMHO, the critical information in an OSM request is (a) the source IP address and (b) the tile id, in particular if the NSA/GCHQ/whoever links it with more meta data from other channels like e-mail etc. - what they probably do, as we know after the Summer of Snowden! I don't see the value for OSM, though. Or do you think they (a) store the data and (b) share it with the secret services? The trivial protection is using an anonymiser proxy like TOR (with the drawback that it's slow, and OSM might easily blok TOR exits). It would be great if OSM would offer reading data through a fully encrypted channel (i.e. https), but afaik this is not possible. Maybe you give more details about your concerns regarding the user agent information, compared to IP address plus tile id?
Techhnically there is no reason to transmit the user-agent information at all. As all information is simple data, there is no need to adopt the result to the used user-agent. [...] The only reason to supply it is because the OSM tile service requires it.
This is not completely true. RFC 2616, sect. 14.43 states that "user agents SHOULD include this field [User-Agent] with requests". According to RFC 2119, "SHOULD [...] mean[s] that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course". Just a side note: In the company for which I'm working, I use the user-agent information in the (squid) proxy as to block connections which should be considered as being potentially dangerous (e.g. Skype, clouds, and similar). Thus, this header field *does* actually have some (though really limited) value for improving security.
I do agree with you, that the user-agent string should be compliant to the specification. I will change that. But I will take my freedom to keep the agent anonymous by mimicking a 0815 agent.
Actually, you don't do that if you just state it's "Mozilla"! All browsers by default sent *much* more information [1, 2]. Thus, a user-agent which looks so different from a "real" UA's identification is already a clear indication of a faked one. Best, Albrecht. [1] <https://panopticlick.eff.org/> [2] <http://www.heise.de/security/meldung/Fingerprinting-Viele-Browser-sind-ohne-Cookies-identifizierbar-1982976.html>
pgpqW4WCCpaFl.pgp
Description: PGP signature
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Qlandkartegt-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/qlandkartegt-users
