Bug#748897: Iceweasel default user agent compromises privacy

[Rolf Braun]

Package: iceweasel
Version: 24.5.0esr-1~deb7u1

>From https://wiki.debian.org/Iceweasel#User-Agent_string and confirmed
using a server-side user-agent test, iceweasel on stable gives this
User-Agent string:

Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140429 Firefox/24.0
Iceweasel/24.5.0

It is now considered bad practice to provide more information to the server
than is necessary, because it allows long-term tracking of individual users
even of a large site, if their browser configuration is unique enough. See
https://panopticlick.eff.org/index.php?action=log&js=yes for a test which
extracts as much information as possible to uniquely identify a browser
user. There are a couple of elements of concern in my Panopticlick output.
The most unique part is the plugin list, which can only be extracted by a
script (and presumably should be mitigated by the Firefox developers
upstream). That's 20.4 bits of identifying information or a handful out of
the entire set of browsers they've ever tested.

However, the second most unique element when visiting Panopticlick from
Debian is the User-Agent string itself. That's despite that I have an odd
screen size, etc. The string above gives 15.61 bits of identifying
information (for i686; result may vary for x86_64 or other archs). Only one
in 49943 browsers they've tested gives this string, which can identify a
user down to 0.002% of a site's user base.

If I visit from oldstable (wheezy) running Iceweasel 24 from backports, the
result is even worse! The UA string is

Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140503 Firefox/24.0
Iceweasel/24.5.0

The slightly different build date reveals almost 20 bits of identifying
information, one in 1036318, less than 0.0001% of their sample, probably
just me testing it and nobody else.

Now this is worse than the plugin loophole for two reasons. One is that a
server can silently harvest and detect this data, whereas the other has to
be sniffed with JavaScript, which could theoretically be detected locally
by an add-on. The other is that this was fixed a long time ago, almost 2
years ago. See https://bugzilla.mozilla.org/show_bug.cgi?id=572650 and the
bugs which it depends on, especially
https://bugzilla.mozilla.org/show_bug.cgi?id=572661. (Even the plug-in
issue is being actively debated upstream; see
https://bugzilla.mozilla.org/show_bug.cgi?id=757726)

There are several problems with Debian's UA string which make the user more
identifiable across other sites:

- Inclusion of the "Iceweasel" token, which is much rarer than standard
Firefox.
- Inclusion of the minor version in the "Iceweasel" token makes this worse
(e.g. the above should be Iceweasel/24.0 instead of Iceweasel/24.5.0)
- The Gecko build date in the UA reported by Firefox releases is
standardized as 20100101. Inclusion of the actual build date allows
individual users, especially users of backports or of unstable releases, to
be identified almost uniquely,. Firefox removed this ability in the fix for
bug 572661, but Debian is continuing to build Firefox with an identifiable
build date.

I would prefer the UA be changed in this example to:

Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0

which is the upstream default and is more than enough information for any
site to know about me. That's what I'm currently using by default in User
Agent Switcher. That yields only 8 bits of identifying information in
Panopticlick, one in 338 users, or 0.3%. Given I'm still going to identify
that I'm on Linux, and using an ESR release of Firefox instead of the
latest, I doubt I can improve much more on that.

If that's not possible for political reasons, at least change it to
something like:

Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Iceweasel/24.0

noting the standardized fake build ID and the absence of any minor/patch
release information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20140521/b776420e/attachment.html>