Re: [dev] [surf] [patch] 13 patches from my Universal Same-Origin Policy branch

From: Markus Teich <markus.teich_AT_stusta.mhn.de>
Date: Sun, 29 Mar 2015 13:52:52 +0200

Heyho Ben,

Ben Woolley wrote:
> Yes, I agree completely with that theory, and you explained it really well.
> The good thing is that, with theory, you can prove the smallest anonymous set
> you can have with a particular set of information (right?). The concern that I
> have is that, as long as semi-fixed IP addresses are used, or even ranges of
> IP addresses are used, anonymous sets are fairly small practice.

I don't know of any other useful measure for „anonymity“. Basically you want the
set of people who look exactly the same as you to be as big as possible. This is
formalized as anonymity sets.

> But if we don't send an Accept-Language header, and send a User-Agent that
> reports as a browser that normally sends an Accept-Language header, we have
> now isolated ourselves. If we mimic a webkit browser, the hash may line up,
> since the header will likely be sent in the same order. Not sure, though. I
> will need to check if the order of setting the header matters, and see if I
> can get a bit-for-bit mimic.

Lack of specific headers when they are to be expected and in which order they
appear in the request are two points definitely used to profile/identify users.
If we're going to use the safari UA, then we should also take care that all the
other headers look like safari's.

--Markus
Received on Sun Mar 29 2015 - 13:52:52 CEST