service and user-agent disclosure - please consider privacy

Richard rz at linux-m68k.org
Wed Jan 11 11:43:29 UTC 2012 

On Tue, Jan 10, 2012 at 10:53:52PM +0100, nodata wrote:

> 
> Fonts are a bigger threat to privacy, see here:
>  http://panopticlick.eff.org/

that apparently can be worked around at least partially with noscript but the user 
agent string is insanely revealing (I do not even use lynx most of the time).
Even if I enable eff.org all of the javascript tests fail - with javascript
and cookies *enabled* I get this:

Browser Characteristic | bits of identifying information | one in x browsers have this value 
User Agent             | 20.87+                          | 1918455
HTTP_ACCEPT Headers    | 3.79                            | 13.8
Browser Plugin Details | 1.91                            | 3.75 -	no javascript
Time Zone              | 1.9                             | 3.73 - 	no javascript
Screen Size etc        | 1.9                             | 3.73 -	no javascript
System Fonts           | 1.9                             | 3.73 -	no javascript
Are Cookies Enabled?   | 0.39                            | 1.31 	Yes
supercookie test       | 1.9                             | 3.73 -	no javascript

It seems not surprising that eff.org visitors are paranoid so the javascript blocking 
may be slightly more identifying than suggested by these numbers but still nowhere
close to the user agent. Btw I am pretty sure that the eff numbers are an underestimate,
I can not imagine anyone else in the world has the same user agent string like me
and there ought to be some more than 1918455 browsers worldwide.

> Privacy conscious users are able to install a user agent switching 
> extension.

have one of those. How effective is that? Many users will pick some fake 
browser id which is trivially detectable as fake. Each time I switch I must 
also clear cookies and beware of referrer headers as an absolute minimum. 
How many users are able to handle this?
Every little mistake makes you perfectly unique.

Also, do I as proud Fedora user really want to use a MS or some other fake user 
agent string?

Compare how much better privacy protection we could get if the user agent did 
reveal just "Fedora" and browser type for all Fedora users by default.

Does any Fedora user really *want* to advertise the exact defaults of his soft 
and hardware to every visited website, does it ever help anyone except marketing 
companies or criminals?

The browser is just one small part of the puzzle. For example my email program 
is revealing, and my smtp server adds even more info to it.

Richard

---
Name and OpenPGP keys available from pgp key servers

More information about the devel mailing list