Bug#748897: Iceweasel default user agent compromises privacy
rolf.braun at gmail.com
Thu May 22 08:41:18 UTC 2014
On Thu, May 22, 2014 at 1:00 AM, Mike Hommey <mh at glandium.org> wrote:
> On Wed, May 21, 2014 at 11:19:20PM -0400, Rolf Braun wrote:
> > - Inclusion of the "Iceweasel" token, which is much rarer than standard
> > Firefox.
> This one is a tough call. You're actually using a not-Firefox browser.
> And making Iceweasel not emit that part would require awkward changes
> that would affect more than Iceweasel.
Agreed that it's not obviously the right thing to do, and Debian isn't
the only vendor to be adding a vendor-specific token to the UA string.
But there are fewer users of Debian on the desktop than e.g. Ubuntu,
so the issue of being identifiable by this is more concerning.
>From my perspective as a user, yes, it's technically a non-Firefox
browser. But from any website's perspective, it renders and processes
user-agent isn't required to reveal anything more.
I'm not sure what else it would affect, though it seems the UA string
is being generated in a "standard" way by code from upstream, so that
would have to be patched.
> > - The Gecko build date in the UA reported by Firefox releases is
> > standardized as 20100101. Inclusion of the actual build date allows
> > individual users, especially users of backports or of unstable releases, to
> > be identified almost uniquely,. Firefox removed this ability in the fix for
> > bug 572661, but Debian is continuing to build Firefox with an identifiable
> > build date.
> Actually, it's not, but there's a bug that only affects esr. If you look
> at e.g. iceweasel 23 on snapshot.debian.net, you should see
> Gecko/20100101. Likewise in unstable and experimental. Aurora builds
> from mozilla.debian.net don't use Gecko/20100101, but it looks like
> upstream aurora builds do, despite that not matching what is in the
> source tree. Must be something set on the build side.
> So all in all, this is mostly an ESR-only issue (also affecting
> chemspills like 29.0.1), that is mostly fixed in unstable, and
> essentially fixed in experimental (except for the Iceweasel part)
> Actually, since version 25 the Gecko version string is always
> Gecko/20100101, whatever setup is used.
So I assume from that, it's also fixed for future ESR releases (31?)
Thanks for looking into this.
More information about the pkg-mozilla-maintainers