Hi, This site is interesting. It gives kind of a score of web browser trackability. [1] @corvid, I thought you'd like to give it a look (AFAIR, you have submitted some standardizing to our HTTP querying in the past). It looks like our HTTP_ACCEPT and "User Agent" are the most vulnerable to tracking. It looks simple to provide some less unique alternatives in dillorc. DISCLAIMER: this is just on little aspect of the privacy chain. Most probably this is moot unless you're behind a TOR ring. YMMV. [1] https://panopticlick.eff.org/ -- Cheers Jorge.-
On Mo, Sep 08, 2014, Jorge Arellano Cid wrote:
Hi,
This site is interesting. It gives kind of a score of web browser trackability. [1]
@corvid, I thought you'd like to give it a look (AFAIR, you have submitted some standardizing to our HTTP querying in the past). It looks like our HTTP_ACCEPT and "User Agent" are the most vulnerable to tracking.
It looks simple to provide some less unique alternatives in dillorc.
I once started to read the paper (stopped where the math gets too complcated ;-) ); I remember that it is relatively simple to track a browser even if the browser fingerprint, which consists of numerous attributes, changes slightly when only few attributes (e. g. browser version) change. This gave me a vague idea to randomize these attributes exactly in a way to break re-detection. Dillo could perhaps be a good testbed for this.
DISCLAIMER: this is just on little aspect of the privacy chain. Most probably this is moot unless you're behind a TOR ring. YMMV.
For what I've understood, TOR wouldn't help. Sebastian
On Mon, Sep 08, 2014 at 09:42:06PM +0200, Sebastian Geerken wrote:
On Mo, Sep 08, 2014, Jorge Arellano Cid wrote:
[...]
DISCLAIMER: this is just on little aspect of the privacy chain. Most probably this is moot unless you're behind a TOR ring. YMMV.
For what I've understood, TOR wouldn't help.
I mean: usually an IP and a time window is all you need. Unless the site is being accessed in parallel from the same IP, there's almost no way to avoid session tracking. That's were TOR helps (AFAIU). -- Cheers Jorge.-
Hi, On Mon, 8 Sep 2014 16:15:53 -0300 Jorge Arellano Cid <jcid at dillo.org> wrote:
Hi,
This site is interesting. It gives kind of a score of web browser trackability. [1]
@corvid, I thought you'd like to give it a look (AFAIR, you have submitted some standardizing to our HTTP querying in the past). It looks like our HTTP_ACCEPT and "User Agent" are the most vulnerable to tracking.
It looks simple to provide some less unique alternatives in dillorc.
The User Agent string of dillo does not have that many version numbers like the ones of other browsers. I compared the table with iceweasel and chromium. dillo was the least unique browser of them. But there is of course much more to improve. Greetings Andreas Kemnade
Jorge wrote:
This site is interesting. It gives kind of a score of web browser trackability. [1]
@corvid, I thought you'd like to give it a look (AFAIR, you have submitted some standardizing to our HTTP querying in the past). It looks like our HTTP_ACCEPT and "User Agent" are the most vulnerable to tracking.
It looks simple to provide some less unique alternatives in dillorc.
Yes, this site was part of the impetus to work on the headers in March to make dillo resemble firefox more closely, and add deflate decompression and add keepalive. User-agent is a little misleading in that I have a current firefox user-agent string, and panopticlick says that's one in 2701.57 browsers, but no doubt it's rather more common among the visitors in September 2014 specifically. Somewhat related, I've been working on SSL in the browser, and https://www.ssllabs.com/ssltest/viewMyClient.html shows some more ways for browsers to reveal what they are.
DISCLAIMER: this is just on little aspect of the privacy chain. Most probably this is moot unless you're behind a TOR ring. YMMV.
Indeed.
The browser on my not-incredibly-old ipod touch returned as unique, so people who run that configuration apparently have not found this site. Dillo currently returns one-in-~85000, with the user-agent being the lion's share of that. If we implement configurable user-agents, will we start getting code optimised for other people, which we can't run? On 9/10/14, eocene <eocene at gmx.com> wrote:
Jorge wrote:
This site is interesting. It gives kind of a score of web browser trackability. [1]
@corvid, I thought you'd like to give it a look (AFAIR, you have submitted some standardizing to our HTTP querying in the past). It looks like our HTTP_ACCEPT and "User Agent" are the most vulnerable to tracking.
It looks simple to provide some less unique alternatives in dillorc.
Yes, this site was part of the impetus to work on the headers in March to make dillo resemble firefox more closely, and add deflate decompression and add keepalive.
User-agent is a little misleading in that I have a current firefox user-agent string, and panopticlick says that's one in 2701.57 browsers, but no doubt it's rather more common among the visitors in September 2014 specifically.
Somewhat related, I've been working on SSL in the browser, and https://www.ssllabs.com/ssltest/viewMyClient.html shows some more ways for browsers to reveal what they are.
DISCLAIMER: this is just on little aspect of the privacy chain. Most probably this is moot unless you're behind a TOR ring. YMMV.
Indeed.
_______________________________________________ Dillo-dev mailing list Dillo-dev at dillo.org http://lists.dillo.org/cgi-bin/mailman/listinfo/dillo-dev
James wrote:
If we implement configurable user-agents, will we start getting code optimised for other people, which we can't run?
There is the http_user_agent preference in dillorc. As for getting pages shaped for others, yes. If you're curious, I suppose you could check the Vary header in the HTTP response and see how often User-Agent is included there.
participants (5)
-
andreas@kemnade.info -
eocene@gmx.com -
james.from.wellington@gmail.com -
jcid@dillo.org -
sgeerken@dillo.org