On 6/24/14, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > On 06/24/2014 06:56 AM, Jacob Appelbaum wrote: > [snip interesting discussion of user-agents for human-driven HTTP clients] > >> As for the system itself - I looked at `apt-get update` and found the >> following user agent during a fetch: >> >> GET /debian-backports/dists/squeeze-backports/Release.gpg HTTP/1.1 >> Host: backports.debian.org >> Cache-Control: max-age=0 >> User-Agent: Debian APT-HTTP/1.3 (0.8.10.3) >> Connection: keep-alive >> >> That seems like it is worth masking as well, especially since it runs >> as root! > > While i doubt that changing the User-Agent here will concretely hurt > anything, an adversary who can observe the HTTP request for > squeeze-backports/Release.gpg (and the associated Release, Packages, etc > -- a very distinct traffic pattern) will able to guess with very high > certainty what version of APT is making the connections in the first place. >
I wonder if that is true? I guess it might be true with enough observations. Wouldn't it be a possible release in a set amongst all the fetched releases? That is - I might run a newer version of `apt-get` and access older repositories, no? Seems like a wide variety of versions are possibly accessing that those mirrors. Leaking the version settles any speculation, of course. All the best, Jacob _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.