service and user-agent disclosure - please consider privacy
Richard
rz at linux-m68k.org
Wed Jan 11 11:43:29 UTC 2012
On Tue, Jan 10, 2012 at 10:53:52PM +0100, nodata wrote:
>
> Fonts are a bigger threat to privacy, see here:
> http://panopticlick.eff.org/
that apparently can be worked around at least partially with noscript but the user
agent string is insanely revealing (I do not even use lynx most of the time).
Even if I enable eff.org all of the javascript tests fail - with javascript
and cookies *enabled* I get this:
Browser Characteristic | bits of identifying information | one in x browsers have this value
User Agent | 20.87+ | 1918455
HTTP_ACCEPT Headers | 3.79 | 13.8
Browser Plugin Details | 1.91 | 3.75 - no javascript
Time Zone | 1.9 | 3.73 - no javascript
Screen Size etc | 1.9 | 3.73 - no javascript
System Fonts | 1.9 | 3.73 - no javascript
Are Cookies Enabled? | 0.39 | 1.31 Yes
supercookie test | 1.9 | 3.73 - no javascript
It seems not surprising that eff.org visitors are paranoid so the javascript blocking
may be slightly more identifying than suggested by these numbers but still nowhere
close to the user agent. Btw I am pretty sure that the eff numbers are an underestimate,
I can not imagine anyone else in the world has the same user agent string like me
and there ought to be some more than 1918455 browsers worldwide.
> Privacy conscious users are able to install a user agent switching
> extension.
have one of those. How effective is that? Many users will pick some fake
browser id which is trivially detectable as fake. Each time I switch I must
also clear cookies and beware of referrer headers as an absolute minimum.
How many users are able to handle this?
Every little mistake makes you perfectly unique.
Also, do I as proud Fedora user really want to use a MS or some other fake user
agent string?
Compare how much better privacy protection we could get if the user agent did
reveal just "Fedora" and browser type for all Fedora users by default.
Does any Fedora user really *want* to advertise the exact defaults of his soft
and hardware to every visited website, does it ever help anyone except marketing
companies or criminals?
The browser is just one small part of the puzzle. For example my email program
is revealing, and my smtp server adds even more info to it.
Richard
---
Name and OpenPGP keys available from pgp key servers
More information about the devel
mailing list