From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: chad Newsgroups: gmane.emacs.devel Subject: Re: Changing user agent on eww [OT] Date: Thu, 23 Jan 2014 20:27:23 -0800 Message-ID: References: <16166511.vzeQlYYo3r@descartes> <87ob32mf2a.fsf_-_@gmail.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a113323b84c9f1504f0afc64c X-Trace: ger.gmane.org 1390537651 4449 80.91.229.3 (24 Jan 2014 04:27:31 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 24 Jan 2014 04:27:31 +0000 (UTC) Cc: "Trent W. Buck" , EMACS development team To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jan 24 05:27:39 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1W6YMk-0006mU-BD for ged-emacs-devel@m.gmane.org; Fri, 24 Jan 2014 05:27:38 +0100 Original-Received: from localhost ([::1]:44337 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1W6YMj-0001Ka-Qh for ged-emacs-devel@m.gmane.org; Thu, 23 Jan 2014 23:27:37 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57557) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1W6YMd-0001KI-6h for emacs-devel@gnu.org; Thu, 23 Jan 2014 23:27:36 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1W6YMX-0005ct-G3 for emacs-devel@gnu.org; Thu, 23 Jan 2014 23:27:31 -0500 Original-Received: from mail-ig0-x22c.google.com ([2607:f8b0:4001:c05::22c]:44936) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1W6YMX-0005ca-9t for emacs-devel@gnu.org; Thu, 23 Jan 2014 23:27:25 -0500 Original-Received: by mail-ig0-f172.google.com with SMTP id k19so1543725igc.5 for ; Thu, 23 Jan 2014 20:27:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fQrg/a3pxAPL5n/TBLWN2Gs0ziU6MiuMzdjoZghli64=; b=Ua8RxB68P1HCktlOA7cBehaNKcGmYUzjioEB+6ZQgam7xTN0OOvIUFQoHa+K6dx0LZ afQLDZjB0GJh3+RvKv7BO6Tsdu34W+yIWlpHptkJSBLEHj1IV4aAvcMtM7PzZpTwk+js ZJ0NFYgUl5cNT+eJn4c1wuaRMl45CAZZ1fZkv5PVd/Ts561Qo5/AsRw3B4ac4EVa25u5 8wyzb0m7BcSBu+p2lgdcf6cqIY+nhSh0xHqR4l3S+RJWLmCc6JCxi1Ex4AzcbQ+RGMoT OzuTPxYlWdhfOxvA21WUtyo5+Qj8cEv3T9NwopyYcOzwYsfqR/O3BWa6ZvSmhwo5Ev9k s6KA== X-Received: by 10.42.226.66 with SMTP id iv2mr9160244icb.11.1390537643693; Thu, 23 Jan 2014 20:27:23 -0800 (PST) Original-Received: by 10.50.43.196 with HTTP; Thu, 23 Jan 2014 20:27:23 -0800 (PST) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2607:f8b0:4001:c05::22c X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:168993 Archived-At: --001a113323b84c9f1504f0afc64c Content-Type: text/plain; charset=ISO-8859-1 On Thu, Jan 23, 2014 at 5:50 PM, Stefan Monnier wrote: > > Hmm... I wonder if https://panopticlick.eff.org/ rates "no UA" as being > > *more* identifiable than spoofing it to something commonplace? :-) > > BTW, I was recently thinking about this "http header fingerprinting" > problem and was wondering if anybody has tried to randomize > their header. > More specifically, change part of the header for each request. > An obvious option is to add a counter to the "user-agent", and to add > a "blur" factor to the language options. > > E.g. my "en-us,fr-ch;q=0.8,es-ar;q=0.6,en;q=0.4,de;q=0.2" appears to be > very > rare, but if it keeps changing from > > en-us,fr-ch;q=0.80000234,es-ar;q=0.60000765,en;q=0.40000345,de;q=0.20000123 > to > en-us,fr-ch;q=0.80000983,es-ar;q=0.60000923,en;q=0.40000186,de;q=0.20000236 > to ... > then a naive fingerprinting will be fooled into thinking it's coming > from a different user. > It's not a bad idea, but I wouldn't try it specifically with q-values, as they're likely discarded by the server before they get to the browser-id step. ~Chad --001a113323b84c9f1504f0afc64c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

= On Thu, Jan 23, 2014 at 5:50 PM, Stefan Monnier <monnier@iro.umontr= eal.ca> wrote:
> Hmm... I wonder if https://panopticl= ick.eff.org/ rates "no UA" as being
> *more* identifiable than spoofing it to something commonplace? :-)

BTW, I was recently thinking about this "http header fingerprint= ing"
problem and was wondering if anybody has tried to randomize
their header.
More specifically, change part of the header for each request.
An obvious option is to add a counter to the "user-agent", and to= add
a "blur" factor to the language options.

E.g. my "en-us,fr-ch;q=3D0.8,es-ar;q=3D0.6,en;q=3D0.4,de;q=3D0.2"= appears to be very
rare, but if it keeps changing from
=A0 =A0en-us,fr-ch;q=3D0.80000234,es-ar;q=3D0.60000765,en;q=3D0.40000345,de= ;q=3D0.20000123
to en-us,fr-ch;q=3D0.80000983,es-ar;q=3D0.60000923,en;q=3D0.40000186,de;q= =3D0.20000236
to ...
then a naive fingerprinting will be fooled into thinking it's coming from a different user.

It's not a b= ad idea, but I wouldn't try it specifically with q-values, as they'= re likely discarded by the server before they get to the browser-id step.

~Chad
--001a113323b84c9f1504f0afc64c--