Re: User-Agent strings, privacy and Debian browsers

To: Peter Eckersley <pde@eff.org>
Cc: Debian-devel@lists.debian.org, Seth David Schoen <schoen@eff.org>
Subject: Re: User-Agent strings, privacy and Debian browsers
From: Osamu Aoki <osamu@debian.org>
Date: Sat, 22 Sep 2007 18:27:51 +0900
Message-id: <[🔎] 20070922092751.GA27674@debian.org>
Mail-followup-to: Peter Eckersley <pde@eff.org>, Debian-devel@lists.debian.org, Seth David Schoen <schoen@eff.org>
In-reply-to: <[🔎] 1190422985.7667.63.camel@localhost>
References: <[🔎] 1190422985.7667.63.camel@localhost>

Hi,

I think one technical solution which seems o be good to one person may
not be good one for others.

You must think realistic solution which do not affect others in any
negative way and possibly give more benefits than just solving your own
corner case problem.

On Fri, Sep 21, 2007 at 06:03:05PM -0700, Peter Eckersley wrote:
> Consider for a moment a typical User-Agent string sent by a Debian web browser:
> 
> Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070802 Iceape/1.1.4 (Debian-1.1.4-1)
> 
> Unfortunately, the fact that this information identifies a specific
> package and version of that package means that Debian users (already a
> select group) have their browsing identities further distinguished by
> their User-Agent strings.

If you consider this being unfortunate, it must be so for you.
Although I feel different, I understand you care this.

> This means, in practice, that many sites will be able to track Debian
> users by their User-Agent, even if (say) the user is blocking cookies or
> limiting them to a single session and is changing IP address regularly.
> 
> What do people think of picking a single User-Agent string for all
> versions of all of Debian's Gecko-based browsers?

Why you force your own needs to others who do not need this feature?
You may be the only Debian user in the IP range, then your risk exposure
in your sense is still higher.

> Would there be any serious harm in terms of browser debugging?  Are
> there many sites which usefully treat different Gecko browsers
> differently?
> 
> As a far more hypothetical question, what would people think of picking
> a single User-Agent for Gecko-based browsers for a larger set of
> GNU/Linux distributions?  Obviously, there is much more politics there,
> because any distributions that joined would be losing the ability to
> measure their desktop market share by looking at web statistics.

What you need is some kind of optional browser plug-in program which
will let you select User-Agent string. 

I know some web site only accept some OS or browser.  So ability to
masqarade your system will let you access those site pretending to be
different User-Agent/OS :-)  That will have not benefit just security
ultraconcious like you but also have real practical advantage.

> Peter Eckersley                            pde@eff.org
> Staff Technologist                Tel  +1 415 436 9333 x131

Please think about creating such plug-in :-)

(Hmmm... there may already exist such plug-in...)

 http://chrispederick.com/work/user-agent-switcher/

Also there is good list of strings to chose from.

 http://www.testingreflections.com/node/view/5125

There seems to be problem installing to the Debian:
 http://forums.debian.net/viewtopic.php?p=19231&sid=beb199fd158d6235839dfc0676b9e6cf

Maybe, you can work with maintainer of packages to pre-include this
user-agent-switcher in the Debian distribution since this is GPL2.

Osamu

Reply to:

References:
- User-Agent strings, privacy and Debian browsers
  - From: Peter Eckersley <pde@eff.org>

Prev by Date: Re: Bug#443528: ITP: xmms-pulse -- Pulseaudio Output plugin for xmms
Next by Date: Re: Proposal regarding future packaging
Previous by thread: Re: User-Agent strings, privacy and Debian browsers
Next by thread: Re: User-Agent strings, privacy and Debian browsers
Index(es):
- Date
- Thread