[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Torbutton : please offer better user agent choices

Thus spake andrew@xxxxxxxxxxxxxx (andrew@xxxxxxxxxxxxxx):

> On Fri, Feb 12, 2010 at 05:27:21AM -0500, twinkletoedturtle@xxxxxxxxxxxxx wrote 5.1K bytes in 106 lines about:
> : This has already been discussed previously, I was moving on to ask if
> : this feature could be added, not debated.
> The simple answer right now is no.  There is exactly one person working
> on torbutton.  There is also one GSoC-student who has a degree to finish
> and hacks on torbutton in their spare time.  Giving users the ability to
> partition themselves at will isn't something we want to do.
> Mike has already responded to this once, but it's his choice if he wants
> to respond again.

Right. This is a very strange and frustrating thread. In fact, at
first I suspected it was just a troll looking to waste my time and

But to give Ms/Mr. Turtle the benefit of the doubt, here's the story,
one last time: The other features of Torbutton that allow one to shoot
themselves in the foot exist because they enable the functionality of
plugins or other addons or allow the user to work around bugs.

We are not in the habit of providing features that are demonstrably
bad for anonymity for no reason, and I am certainly not going to
give such work priority over much more important things such as
improving the performance of the network as a whole (for ex, my latest
work: http://archives.seul.org/or/dev/Jan-2010/msg00012.html).

The answer is "Use UA Switcher to give yourself a unique ID if you
want", and that's final. Hell, go ahead and write the SHA1 hash of
your address and social security number in there if that turns you on.
It still won't make you look one bit less like a Tor user, I can
promise you that.

Furthermore, if UA Switcher it had real malcode in it, it would have
been found by now. It is an extremely simple and seldom-updated addon
whose code is public and open source, and it has been tested to work
just fine with Torbutton. I am committed to fixing any
interoperability bugs that turn up with it or any other addons.

If update authentication failure or a.m.o tampering is your real
concern, perhaps someone in the community here can review and sign
Chris Pederick's releases, and/or request that he sign them as well.

That said, I do realize Torbutton's user agent string is in need of an
update, but I've wanted to avoid doing that when there are actual
privacy attacks that apply to the Torbutton versions before the
switch. Perhaps the next release will update us to the latest Firefox
3.5 Windows release.

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpeai87JA7zo.pgp
Description: PGP signature