On Tue, Mar 3, 2015 at 1:10 PM, Jan Kundrát <j...@kde.org> wrote: > > I'm not saying "nope", but I wonder why you're asking for this. The > User-Agent comes handy when troubleshooting various interoperability issues;
It also comes in handy for forming targeted attacks against MUAs with zero-day vulnerabilities known to particular adversaries. As a security professional, this additional level of obscurity - of not leaking my UA - is important, as much in principle as in practice. > > Another important thing is that even if the User-Agent header was absent, > there's still plenty of side channels which could be used to identify a > MUA. MIME boundaries have "trojita" in them, That's a shame about the MIME boundaries - I'd change that too to be randomized. And yes fingerprinting is still possible, but removing the UA makes it all the more difficult. Furthermore, the user agent also leaks information as to the version of Qt I'm running and the version and name of my operating system. My god, it's absurd! > What do others think, should we make this user-configurable? > Vote yes!
