Re: [dev] [surf] [patch] 13 patches from my Universal Same-Origin Policy branch

From: Markus Teich <markus.teich_AT_stusta.mhn.de>
Date: Thu, 26 Mar 2015 02:14:30 +0100

Nick wrote:
> - [PATCH 07/13] add random entropy to user-agent and accept-language headers.
>
> I definitely like the idea, but wonder whether the solution in the patch is a
> bit overkill. After all, if we're basically just trying to defeat hashing
> correlations, then one random byte at the end of each variable should be
> enough. Also, unless I'm misreading it, am I correct in thinking the
> user-agent string is fully random? I'm currently using one from an oldish
> firefox, to reduce fingerprintability a bit, and I get annoying warnings on
> github and a few other places as a result - isn't it better to use a
> common-ish UA string with some random crap on the end, so most stupid websites
> won't do something annoying?

Heyho,

randomizing these headers at all rapidly shrinks the anonymity set size. Sure,
for a dumb adversary every request seems to come from another user, but a smart
adversary won't take long to detect these changes, filter them out and have a
nice list of all surf users (and browsers which use the same pattern, which
would probably be not many). When setting the headers to a very common value
(unfortunately I did not find _the_ most common UA and accept-language header
values), users are guaranteed to be part of a very huge anonymity set. If you
really want to randomize the headers, pick a pool of the most common values and
pick one of them at random. This can hower lead to different behaviour when
visiting a website twice.

I strongly advice against the randomization. It's also simpler in code to not
use it.

--Markus
Received on Thu Mar 26 2015 - 02:14:30 CET

This archive was generated by hypermail 2.3.0 : Thu Mar 26 2015 - 02:24:07 CET