[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Threats to anonymity set at and above the application layer; HTTP headers



On Sat, May 20, 2006 at 02:37:39PM -0400, Ringo Kamens wrote:
> I have a few points to add. For one, if you choose a user-agent that
> is a linux build every time you start firefox (as opposed to having it
> default) then that could be used as court evidence to say:
> Well, I couldn't be xxx because he used a linux browser and I'm
> obviously on windows and my user-agent field isn't spoofed.

I'm not a lawyer, so I'm not going to comment on your legal theories.

But from a technical anonymity perspective, choosing an unusual user
agent probably isn't a good idea: if 100K Tor users appear to be using
user agent X, and you use a less popular user agent Y, it's easier for
websites and observers to build a pseudonymous profile for your actions.

This is why I'd really like this discussion to arrive at an improved
privoxy configuration to ship with Tor: even if you, personally, know
a better configuration than the default, you might still be better off
using the default configuration in order to blend in with a larger
crowd.

See the "Anonymity loves company" paper for more discussion.

yrs,
-- 
Nick Mathewson

Attachment: pgpBkzs80rGLI.pgp
Description: PGP signature