Hi Albrecht,
it's like our parents told us, give no more information to strangers than
neccessary. Before I start thinking
and arguing how a certain information might be harm to my privacy or not I
simply try to restrict
information to the bare minimum. Imho that is an established practice from the
old days that seems to be
forgotten in the times of facebook and others.
And as I do not see a strong technical reason to transmit that information I
simply classify it as none of
anyone's bussines what user-agent I use. And I get disgusted if I see how
others constantly try to snoop as
much information as possible. I do not care about their intention. It might be
noble or nasty. But the
constant nagging for information makes you numb and you start to care less
about your privacy. After a
while you are not able to tell what information was a bad idea to give and what
was void. That is why you
should provide information as scarce as possible.
I will replaced the string by "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT
6.1)". If anyone does not feel
conftable with that, I will remove the built-in maps completely together with
all user-agent strings.
Oliver
> Hi Oliver:
>
> Am 25.01.14 22:26 schrieb(en) Oliver Eichler:
> > I am really amazed how everyone is so enthusiastic to provide informaton
> > that is of no concern of the one requesting it. I thought after the
> > Snowden disaster people start to think twice on how much details have to
> > be supplied.
> I fully agree with the approach to limit leaking unnecessary information as
> far as possible. However, to be honest, I do not fully understand which
> security/privacy implications sending the user agent might have. IMHO, the
> critical information in an OSM request is (a) the source IP address and (b)
> the tile id, in particular if the NSA/GCHQ/whoever links it with more meta
> data from other channels like e-mail etc. - what they probably do, as we
> know after the Summer of Snowden!
>
> I don't see the value for OSM, though. Or do you think they (a) store the
> data and (b) share it with the secret services?
>
> The trivial protection is using an anonymiser proxy like TOR (with the
> drawback that it's slow, and OSM might easily blok TOR exits). It would be
> great if OSM would offer reading data through a fully encrypted channel
> (i.e. https), but afaik this is not possible.
>
> Maybe you give more details about your concerns regarding the user agent
> information, compared to IP address plus tile id?
> > Techhnically there is no reason to transmit the user-agent information at
> > all. As all information is simple data, there is no need to adopt the
> > result to the used user-agent. [...] The only reason to supply it is
> > because the OSM tile service requires it.
> This is not completely true. RFC 2616, sect. 14.43 states that "user agents
> SHOULD include this field [User-Agent] with requests". According to RFC
> 2119, "SHOULD [...] mean[s] that there may exist valid reasons in
> particular circumstances to ignore a particular item, but the full
> implications must be understood and carefully weighed before choosing a
> different course".
>
> Just a side note: In the company for which I'm working, I use the user-agent
> information in the (squid) proxy as to block connections which should be
> considered as being potentially dangerous (e.g. Skype, clouds, and
> similar). Thus, this header field *does* actually have some (though really
> limited) value for improving security.
> > I do agree with you, that the user-agent string should be compliant to the
> > specification. I will change that. But I will take my freedom to keep the
> > agent anonymous by mimicking a 0815 agent.
> Actually, you don't do that if you just state it's "Mozilla"! All browsers
> by default sent *much* more information [1, 2]. Thus, a user-agent which
> looks so different from a "real" UA's identification is already a clear
> indication of a faked one.
>
> Best, Albrecht.
>
>
> [1] <https://panopticlick.eff.org/>
> [2]
> <http://www.heise.de/security/meldung/Fingerprinting-Viele-Browser-sind-ohn
> e-Cookies-identifizierbar-1982976.html>
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Qlandkartegt-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qlandkartegt-users
