[PATCH] Omit User-Agent: header by default

[PATCH] Omit User-Agent: header by default

[Daniel Kahn Gillmor]

The User-Agent: header can be fun and interesting, but it also leaks
quite a bit of information about the user and their software stack.

This represents a potential security risk (attackers can target the
particular stack) and also an anonymity risk (a user trying to
preserve their anonymity by sending mail from a non-associated account
might reveal quite a lot of information if their choice of mail user
agent is exposed).

This change also avoids hiding the User-Agent header by default, so
that people who decide they want to send it will at least see it (and
can edit it if they want to) before sending.

It makes sense to have safer defaults.
---
 emacs/notmuch-mua.el | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 1ca8056..f3a4e5a 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -62,7 +62,7 @@ disabled: this would result in an incorrect behavior."))
 		 (const :tag "Compose mail in a new window"  new-window)
 		 (const :tag "Compose mail in a new frame"   new-frame)))
 
-(defcustom notmuch-mua-user-agent-function 'notmuch-mua-user-agent-full
+(defcustom notmuch-mua-user-agent-function nil
   "Function used to generate a `User-Agent:' string. If this is
 `nil' then no `User-Agent:' will be generated."
   :type '(choice (const :tag "No user agent string" nil)
@@ -73,7 +73,7 @@ disabled: this would result in an incorrect behavior."))
 			   :value notmuch-mua-user-agent-full))
   :group 'notmuch-send)
 
-(defcustom notmuch-mua-hidden-headers '("^User-Agent:")
+(defcustom notmuch-mua-hidden-headers nil
   "Headers that are added to the `message-mode' hidden headers
 list."
   :type '(repeat string)
-- 
2.8.1

Re: [PATCH] Omit User-Agent: header by default

[David Bremner]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> The User-Agent: header can be fun and interesting, but it also leaks
> quite a bit of information about the user and their software stack.
>

No objections in principle, but someone (TM) needs to fix up the
resulting failures in the test suite.

d

[PATCH v2] Omit User-Agent: header by default

[Daniel Kahn Gillmor]

The User-Agent: header can be fun and interesting, but it also leaks
quite a bit of information about the user and their software stack.

This represents a potential security risk (attackers can target the
particular stack) and also an anonymity risk (a user trying to
preserve their anonymity by sending mail from a non-associated account
might reveal quite a lot of information if their choice of mail user
agent is exposed).

This change also avoids hiding the User-Agent header by default, so
that people who decide they want to send it will at least see it (and
can edit it if they want to) before sending.

It makes sense to have safer defaults.
---
 emacs/notmuch-mua.el |  4 ++--
 test/T310-emacs.sh   | 16 ----------------
 2 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el
index 1ca8056..f3a4e5a 100644
--- a/emacs/notmuch-mua.el
+++ b/emacs/notmuch-mua.el
@@ -62,7 +62,7 @@ disabled: this would result in an incorrect behavior."))
 		 (const :tag "Compose mail in a new window"  new-window)
 		 (const :tag "Compose mail in a new frame"   new-frame)))
 
-(defcustom notmuch-mua-user-agent-function 'notmuch-mua-user-agent-full
+(defcustom notmuch-mua-user-agent-function nil
   "Function used to generate a `User-Agent:' string. If this is
 `nil' then no `User-Agent:' will be generated."
   :type '(choice (const :tag "No user agent string" nil)
@@ -73,7 +73,7 @@ disabled: this would result in an incorrect behavior."))
 			   :value notmuch-mua-user-agent-full))
   :group 'notmuch-send)
 
-(defcustom notmuch-mua-hidden-headers '("^User-Agent:")
+(defcustom notmuch-mua-hidden-headers nil
   "Headers that are added to the `message-mode' hidden headers
 list."
   :type '(repeat string)
diff --git a/test/T310-emacs.sh b/test/T310-emacs.sh
index 65c1728..202fc3b 100755
--- a/test/T310-emacs.sh
+++ b/test/T310-emacs.sh
@@ -193,7 +193,6 @@ emacs_deliver_message \
      (kill-whole-line)
      (insert "To: user@example.com\n")'
 sed \
-    -e s',^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' \
     -e s',^Message-ID: <.*>$,Message-ID: <XXX>,' \
     -e s',^\(Content-Type: text/plain\); charset=us-ascii$,\1,' < sent_message >OUTPUT
 cat <<EOF >EXPECTED
@@ -201,7 +200,6 @@ From: Notmuch Test Suite <test_suite@notmuchmail.org>
 To: user@example.com
 Subject: Testing message sent via SMTP
 Date: 01 Jan 2000 12:00:00 -0000
-User-Agent: Notmuch/XXX Emacs/XXX
 Message-ID: <XXX>
 MIME-Version: 1.0
 Content-Type: text/plain
@@ -310,7 +308,6 @@ test_emacs '(let ((message-hidden-headers ''()))
 	    (test-output))'
 sed -i -e 's/^In-Reply-To: <.*>$/In-Reply-To: <XXX>/' OUTPUT
 sed -i -e 's/^References: <.*>$/References: <XXX>/' OUTPUT
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite@notmuchmail.org>
 To: user@example.com
@@ -318,7 +315,6 @@ Subject: Re: Testing message sent via SMTP
 In-Reply-To: <XXX>
 Fcc: ${MAIL_DIR}/sent
 References: <XXX>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Notmuch Test Suite <test_suite@notmuchmail.org> writes:
 
@@ -335,7 +331,6 @@ test_emacs "(let ((message-hidden-headers '()))
 	    (notmuch-test-wait)
 	    (notmuch-search-reply-to-thread)
 	    (test-output))"
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite_other@notmuchmail.org>
 To: Sender <sender@example.com>
@@ -343,7 +338,6 @@ Subject: Re: ${test_subtest_name}
 In-Reply-To: <${gen_msg_id}>
 Fcc: ${MAIL_DIR}/sent
 References: <${gen_msg_id}>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Sender <sender@example.com> writes:
 
@@ -361,7 +355,6 @@ test_emacs "(let ((message-hidden-headers '()))
 	    (notmuch-test-wait)
 	    (notmuch-search-reply-to-thread)
 	    (test-output))"
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite@notmuchmail.org>
 To: Sender <sender@example.com>, someone@example.com
@@ -369,7 +362,6 @@ Subject: Re: ${test_subtest_name}
 In-Reply-To: <${gen_msg_id}>
 Fcc: ${MAIL_DIR}/sent
 References: <${gen_msg_id}>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Sender <sender@example.com> writes:
 
@@ -382,7 +374,6 @@ test_emacs '(let ((message-hidden-headers ''()))
 	    (notmuch-show "id:20091118002059.067214ed@hikari")
 		(notmuch-show-reply)
 		(test-output))'
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite@notmuchmail.org>
 To: Adrian Perez de Castro <aperez@igalia.com>, notmuch@notmuchmail.org
@@ -390,7 +381,6 @@ Subject: Re: [notmuch] Introducing myself
 In-Reply-To: <20091118002059.067214ed@hikari>
 Fcc: ${MAIL_DIR}/sent
 References: <20091118002059.067214ed@hikari>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Adrian Perez de Castro <aperez@igalia.com> writes:
 
@@ -447,7 +437,6 @@ test_emacs '(let ((message-hidden-headers ''()))
 	    (notmuch-show "id:cf0c4d610911171136h1713aa59w9cf9aa31f052ad0a@mail.gmail.com")
 		(notmuch-show-reply)
 		(test-output))'
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite@notmuchmail.org>
 To: Alex Botero-Lowry <alex.boterolowry@gmail.com>, notmuch@notmuchmail.org
@@ -455,7 +444,6 @@ Subject: Re: [notmuch] preliminary FreeBSD support
 In-Reply-To: <cf0c4d610911171136h1713aa59w9cf9aa31f052ad0a@mail.gmail.com>
 Fcc: ${MAIL_DIR}/sent
 References: <cf0c4d610911171136h1713aa59w9cf9aa31f052ad0a@mail.gmail.com>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Alex Botero-Lowry <alex.boterolowry@gmail.com> writes:
 
@@ -521,7 +509,6 @@ test_emacs "(let ((message-hidden-headers '()))
 	    (notmuch-show \"id:${gen_msg_id}\")
 	    (notmuch-show-reply)
 	    (test-output))"
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite@notmuchmail.org>
 To: 
@@ -529,7 +516,6 @@ Subject: Re: Reply within emacs to an html-only message
 In-Reply-To: <${gen_msg_id}>
 Fcc: ${MAIL_DIR}/sent
 References: <${gen_msg_id}>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Notmuch Test Suite <test_suite@notmuchmail.org> writes:
 
@@ -546,7 +532,6 @@ test_emacs "(let ((message-hidden-headers '()))
 	      (notmuch-show \"id:$message_id\")
 	      (notmuch-show-reply)
 	      (test-output))"
-sed -i -e 's,^User-Agent: Notmuch/.* Emacs/.*,User-Agent: Notmuch/XXX Emacs/XXX,' OUTPUT
 cat <<EOF >EXPECTED
 From: Notmuch Test Suite <test_suite@notmuchmail.org>
 To: 
@@ -554,7 +539,6 @@ Subject: Re: Quote MML tags in reply
 In-Reply-To: <test-emacs-mml-quoting@message.id>
 Fcc: ${MAIL_DIR}/sent
 References: <test-emacs-mml-quoting@message.id>
-User-Agent: Notmuch/XXX Emacs/XXX
 --text follows this line--
 Notmuch Test Suite <test_suite@notmuchmail.org> writes:
 
-- 
2.8.1

Re: [PATCH v2] Omit User-Agent: header by default

[Gaute Hope]

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

Daniel Kahn Gillmor writes on august 9, 2016 1:35:
> The User-Agent: header can be fun and interesting, but it also leaks
> quite a bit of information about the user and their software stack.

Is the message-id generated by gnus or notmuch-emacs? I could not find
the relevant code. I noticed it has an *.fsf@* part as well as the,
probably customizable, local FQDN.

Regards, Gaute


[-- Attachment #2: Type: application/pgp-signature, Size: 801 bytes --]

Re: [PATCH v2] Omit User-Agent: header by default

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 698 bytes --]

On Tue 2016-08-09 02:02:49 -0400, Gaute Hope wrote:
> Daniel Kahn Gillmor writes on august 9, 2016 1:35:
>> The User-Agent: header can be fun and interesting, but it also leaks
>> quite a bit of information about the user and their software stack.
>
> Is the message-id generated by gnus or notmuch-emacs? I could not find
> the relevant code. I noticed it has an *.fsf@* part as well as the,
> probably customizable, local FQDN.

agreed, this is another metadata leak that we should fix, but i don't
think it needs to be conflated with this one.

does anyone know of a useful standard for message-id generation that
would put gnus/notmuch-emacs/mml users into a larger anonymity set?

      --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 930 bytes --]

Re: [PATCH v2] Omit User-Agent: header by default

[David Bremner]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> The User-Agent: header can be fun and interesting, but it also leaks
> quite a bit of information about the user and their software stack.

pushed to master