Suggestion: Reduce user agent string info by default

[bouffon]

The EFF's panopticlick project indicates that substantial identifying information is available from the browser. By disabling JavaScript, NoScript hides much of this information, but substantial identifying information is still available in the user agent string. My suggestion is, when scripting is disabled for a site, to have NoScript also change the default user agent string to limit its contents to the basic browser version (no O/S or similar additional information). While it is already possible to do this with other plugins like user agent switcher,

• a)It's not default behaviour for user agent switcher and only default behaviour on a widely installed plugin will improve anonymity
  b)The primary focus of user agent switcher is for browser impersonation to allow access to functionality unnecessarily disabled by poorly written web pages
  c)The goal of NoScript is to improve browsing security - improving anonymity is a better fit with that goal than that of user agent switcher
  d)Security concerns that warrant limiting scripting capabilities on a site are probably a fairly close match with similar concerns about privacy, so having both controllable at the same time would improve user efficiency in managing their security profile.

[therube]

Is the site working correctly or is certain information not available from Mozilla browsers?

For ...

Browser Plugin Details
Time Zone
Screen Size and Color Depth
System Fonts
Limited supercookie test

... all the results say, "no javascript"?

What do you do with that 'ol IP thing. Once they have your IP, they can pinpoint your physical location fairly closely.

[RTrev]

Is the site working correctly or is certain information not available from Mozilla browsers?

For ...

Browser Plugin Details
Time Zone
Screen Size and Color Depth
System Fonts
Limited supercookie test

... all the results say, "no javascript"?

What do you do with that 'ol IP thing. Once they have your IP, they can pinpoint your physical location fairly closely.

Can't do much with IP, I don't think, as it changes so often for most people. As for the rest, my understanding is that turning off Javascript eliminates the ability to get most of that information, but also increases one's uniqueness because most people browse with Javascript enabled. Can't win. Plus there is a great deal of information just in the things that the browser hands the server without any trickery needed. The user-agent string is a big one, for example.

I'd suggest a feature which adds random values in some way to all of the above information, so that a user is *always* unique. This would be a perfect fit for NoScript, I think.

What do you folks think?

[GµårÐïåñ]

Just to add my two cents, I can see a useful application for this idea but as therube has already said, your IP for purposes of GeoLocation can be used quite effectively and sometimes there are information added to your useragent that may not be properly parsed by a logic routine and that "could" possibly cripple your effective and efficient browsing, as I am sure you can find out by playing with your header and user-agent on your own and find out. You could modify the useragent override string in about:config and experiment to see how functionality breaks with improper coding of the header/useragents.

However, the only point on which I disagree with therube's assessment is that the IP is not as unique as people think, it can be spoofed, it can be proxied, it can be routed and re-rerouted so many times that by the time the peal the onion completely to find the original IP, it now belongs to some other sap who has the dynamic IP. You can also have virtual proxies that mimick a gateway for those who verify at the switch rather than using DNS information, to beat the gateway ping back check. So although it is possible to track anyone down by IP if you are a super good hacker, maybe a total of 10-15 of us globally who can pull it off, my bet is Giorgio included, it is not as easy or time efficient for daily usage unless you are trying to do something that is REALLY bad, or super duper private.

Just for the record, I access THIS site, with my real IP and my real gateway because I am not only a mod but also trust the site, its behind the scene individuals who have my respect and trust, so I am not worried about it. But often times on the web, one minute I am in China, the next I am Germany, the next I am in the UK, etc, you get the idea. So you can imagine that it frustrates the hell out of anyone who is trying to match two instances of me with each other and anyone intelligent on their side should put two and two together and realize quickly, its not real and won't do them good to trace it. Wow, this went longer than I had intended.

[RTrev]

Just thinking out loud, but my limited experiments with user-agent always seemed to indicate that I could add whatever I wanted to the string, and I only got into trouble when I removed something. So, my thinking is that we randomly add a string to the end of the user agent, we randomly add some crazily-named font to the list returned, we add a plugin, we do whatever we can to make this fingerprinting fail. Maybe NoScript isn't the correct platform for this addition, or maybe I'm all wet in thinking this would be a useful way to go about it.

[Giorgio Maone]

Provided that having NoScript enabled (i.e. scripts and plugins disabled on the tracking page) considerable reduce the bits that can be used to identify you (and the fact this configuration is relatively rare doesn't decrease significantly the amount of anonymity it adds, since the combination or your font list (retrievable through Flash or Java), your plugins list and your window size is pretty unique per se), adjusting your user-agent string to increase your anonymity is almost futile and anyway not easy at it seems.
The commonest Firefox user-agent string at this moment, according to flashgot.net logs, is the following:

Code: Select all

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)

However, if I can tell that you

1. Have an IP which is not in US (simple geolocation)
2. Have an operating system which is not Windows XP 32bit (Javascript, plugins)
3. Are in a time-zone where en-US is not spoken (Javascript)
4. Are sending an Accept header which lists languages different than en-US (HTTP)
5. Don't have Silverlight (coming with .NET) (Javascript)

your user-agent, even if is so common, is contributing to identify you as an "anomaly".

Bottom line: don't bother too much about your UA string, but keep JS+plugins disabled.

[MMlosh]

Adding random garbage and other fake clues may increase annonymity, good idea.
Of course, I would be unique every time... till they find out and strip it away