On Dienstag, 3. März 2015 13:10:43 CET, Jan Kundrát wrote:
What do others think, should we make this user-configurable?
While the OP is largely exaggerating on the topic, this might be a valuable
feature for some very exposed people, who're likely subject to specialized
attacks (we're not ta
It's not security by obscurity. It's a first step in combating
fingerprinting, and removing an info leak. CWE-200
Hi,
On 03/03/2015 01:41 PM, Jason A. Donenfeld wrote:
> I want absolutely nothing in there.
Basically that's security by obscurity. Which is bad practice in my
opinion. Keeping your system up-to-date is the better alternative here.
An attacker could either identify your client by other means or
On Tue, Mar 3, 2015 at 1:40 PM, Jan Kundrát wrote:
>
> Now, maybe we could change the pref to switch between "identify Trojita
> including the Qt version" and "just say it's Trojita". Am I right that this
> won't be a correct fix from your point of view, and that you absolutely
> want to have noth
On Tuesday, 3 March 2015 13:24:52 CEST, Jason A. Donenfeld wrote:
It also comes in handy for forming targeted attacks against MUAs with
zero-day vulnerabilities known to particular adversaries. As a security
professional, this additional level of obscurity - of not leaking my UA -
is important, a
On Tue, Mar 3, 2015 at 1:10 PM, Jan Kundrát wrote:
>
> I'm not saying "nope", but I wonder why you're asking for this. The
> User-Agent comes handy when troubleshooting various interoperability issues;
It also comes in handy for forming targeted attacks against MUAs with
zero-day vulnerabilities
On Monday, 2 March 2015 23:49:40 CEST, Jason A. Donenfeld wrote:
My emails sent from Trojita have in them a user agent. When I check the box
"don't identify Trojita to others", I'd like for the User-Agent header to
be suppressed all together. Is this possible?
Hi Jason,
I'm not saying "nope", b
