Nick wrote: > - [PATCH 07/13] add random entropy to user-agent and accept-language headers. > > I definitely like the idea, but wonder whether the solution in the patch is a > bit overkill. After all, if we're basically just trying to defeat hashing > correlations, then one random byte at the end of each variable should be > enough. Also, unless I'm misreading it, am I correct in thinking the > user-agent string is fully random? I'm currently using one from an oldish > firefox, to reduce fingerprintability a bit, and I get annoying warnings on > github and a few other places as a result - isn't it better to use a > common-ish UA string with some random crap on the end, so most stupid websites > won't do something annoying?
Heyho, randomizing these headers at all rapidly shrinks the anonymity set size. Sure, for a dumb adversary every request seems to come from another user, but a smart adversary won't take long to detect these changes, filter them out and have a nice list of all surf users (and browsers which use the same pattern, which would probably be not many). When setting the headers to a very common value (unfortunately I did not find _the_ most common UA and accept-language header values), users are guaranteed to be part of a very huge anonymity set. If you really want to randomize the headers, pick a pool of the most common values and pick one of them at random. This can hower lead to different behaviour when visiting a website twice. I strongly advice against the randomization. It's also simpler in code to not use it. --Markus
