From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Richard Stallman Newsgroups: gmane.emacs.devel Subject: Re: Making package.el talk over Tor Date: Sat, 16 Dec 2023 22:21:13 -0500 Message-ID: References: <8734ybkqf4.fsf@disroot.org> <87sf54q2t8.fsf@posteo.net> <87o7etlzx7.fsf@posteo.net> Reply-To: rms@gnu.org Content-Type: text/plain; charset=Utf-8 Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26863"; mail-complaints-to="usenet@ciao.gmane.io" Cc: akib@disroot.org, emacs-devel@gnu.org To: Philip Kaludercic Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sun Dec 17 04:22:13 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rEhjJ-0006oR-0C for ged-emacs-devel@m.gmane-mx.org; Sun, 17 Dec 2023 04:22:13 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rEhiO-0006Ip-PL; Sat, 16 Dec 2023 22:21:16 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rEhiM-0006IJ-T3 for emacs-devel@gnu.org; Sat, 16 Dec 2023 22:21:15 -0500 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rEhiM-0008BW-4u; Sat, 16 Dec 2023 22:21:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=Date:References:Subject:In-Reply-To:To:From: mime-version; bh=2FQxszDAQZ5CsYuuv3MpIpHoM3FiSWFNNl8oQK+oSSQ=; b=NU1/XhYI2t77 2bS1XgZCaNXqWKDx6aW/6gD0auOgRJCF+MkgU0Pv+jfJoLcGbjEVLqKkM34dx4y+EXoRYj7ykLUjC ttQGz82U/f8AtbxjKg1YUzzViitkvDvI27Duhtish8S4jrqGjY9//8zljebI9IZi9IMEdsa5KZ9pg dLNCOiCXXA42VqY22/9cdACapyw6XEkYv7hBu0tOBovFJofFOvkTLt70cnRMQFVtph7MMeqIVhDia NLHw/zIX5JiiJkIL7uHpsFuv4UCEUPBNU0z58+LRTDS8SQbN+CLEul+rOjUedu8P8ZOAzaeCTE0nT kvr3K7Cr9hk6b9tPurs1Hw==; Original-Received: from rms by fencepost.gnu.org with local (Exim 4.90_1) (envelope-from ) id 1rEhiL-000269-TZ; Sat, 16 Dec 2023 22:21:13 -0500 In-Reply-To: <87o7etlzx7.fsf@posteo.net> (message from Philip Kaludercic on Thu, 14 Dec 2023 12:41:08 +0000) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:313897 Archived-At: [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > 185.220.101.26 - - [14/Dec/2023:13:04:00 +0100] "GET /test HTTP/1.1" 301 169 "https://amodernist.com/" "URL/Emacs Emacs/30.0.50 (PureGTK; x86_64-pc-linux-gnu)" > As you can see the User-Agent indicates that I am using Emacs, what > version and even my architecture. Compare that to the user agent that > you'd regularly encounter from an average browser: We should (1) let users specify what User-Agent to send, and (2) maybe choose a different default. Icecat, by default, identifies itself as some widely used proprietary browser running on Windows. > Other than the user-agent, there are certainly other bits of behaviour > that a malicious actor can use to track a user, such as the order in > which HTTP headers are transmitted, the size of chunks by which the > client sends and receives data and of course what requests aren't being > sent (e.g. due to a lack of Javascript in EWW). We could work on making Emacs-based browsing more similar to the most common browsers, in such aspects of visible behavior. > and of course what requests aren't being > sent (e.g. due to a lack of Javascript in EWW). Compareed with the harm done by _running_ the page's Javascript, giving evidence of not running Javascript is arguably a far lesser evil. That said, one important method for preventing sites from effectively profiling you is to connect to them through Tor. In fact, connecting directly enables OTHERS that observe your network traffic to figure out what you are talking to! That is why I want to connect to the Emacs package repo via Tor. I am not worried about being profiled by the Emacs package repo! More generally, if all that distinguishes you in the actual interaction with a site is that you don't run the Javascript, and you connect through Tor, whatever site you are talking to will have trouble distinguishing you from other users that don't run the Javascript. > That being said: All of this doesn't matter that much for package.el, > since most people are accessing it via Emacs. I agree. However, these issues may have some real importance for the case of using EWW to look at pages _other than_ the Emacs package repo. -- Dr Richard Stallman (https://stallman.org) Chief GNUisance of the GNU Project (https://gnu.org) Founder, Free Software Foundation (https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org)