adrelanos: > Jacob Appelbaum: >> adrelanos: >>>>> Thus my suggestions: >>>>> - Keep only header. Safe users traffic, Tor's traffic and website traffic. >>>>> - Drop the user agent setting, it only gives a false sense of being in >>>>> the same anonymity set as Tor Button. >>>> >>>> That is not the goal - the point is that you will say, drop that and no >>>> one else will do so - so you will entirely stick out. >>> >>> Well, don't drop it individually or right away. Drop it in a new release. >>> >> >> And I am saying - TBB won't drop their user agent. So you won't look >> like them - you will look like you. > > What TBB does is not important for this case. You will look like wget, > so or so. See below.
It is important to look like TBB or another case - if you use TBB to fetch a single item - lets say an image like a favicon - I'd probably want to match the headers it sends. Per request. > >>>>> >>>>> [1] Not exactly impossible. The curl devs would have to change too much, >>>>> extremely unlikely. >>>> >>>> I don't use curl with tlsdate. >>> >>> Replace curl with a placeholder for any command line downloader. >>> >> >> I think you are confused. > > I don't want to deny the possibility. > >> If I send a GET request with all the headers >> sent by say, Tor Browser, that *single* GET request should look >> identical. That is my goal. > > A honorable goal. > > I made a quick test with Wireshare visiting cnn.com as an example. With > Tor Browser I had the page open for 1 minute. It connects to at least 6 > different IPs (just saying no criticism), downloads (temporary to show > in browser) lots of pictures. The log grows much faster. > > Then I issued "wget cnn.com". It only connects to two IPs (1 > redirection). The log is much smaller. Wget does not fetch pictures. > wget -m would but that is rather beside the point, I think. > It's trivial for the website owner, if he wants to, to find out if his > website gets visited with Tor Browser by a real user or if it gets > downloaded with a tool like wget. > Not really. It is *possible* if someone using TBB to explicitly visit a single page or fetch a single resource. > If you use wget, you look like wget, no matter which user agent you > choose. So what's the point for Tails to add extra identifying bits? > (curl + Tor Button user agent) > The point is that not every single request needs to stand out - in aggregate, yes, some people may look differently. I'd rather stand out only in aggregate. > I think the the user agent switcher feature of command line downloaders > is not supposed to be a privacy feature. They probable added it to fetch > different versions of sites, one for firefox, one for mobile phones and > so on. This does not apply here, since you just want the header for the > time. I think you're confused still - a single GET request can be constructed without the use of a library or another program. All the best, Jacob _______________________________________________ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
