Bug#748897: Iceweasel default user agent compromises privacy

Mike Hommey mh at glandium.org
Thu May 22 10:16:51 UTC 2014


On Thu, May 22, 2014 at 04:41:18AM -0400, Rolf Braun wrote:
> On Thu, May 22, 2014 at 1:00 AM, Mike Hommey <mh at glandium.org> wrote:
> > On Wed, May 21, 2014 at 11:19:20PM -0400, Rolf Braun wrote:
> > > - Inclusion of the "Iceweasel" token, which is much rarer than standard
> > > Firefox.
> >
> > This one is a tough call. You're actually using a not-Firefox browser.
> > And making Iceweasel not emit that part would require awkward changes
> > that would affect more than Iceweasel.
> 
> Agreed that it's not obviously the right thing to do, and Debian isn't
> the only vendor to be adding a vendor-specific token to the UA string.
> But there are fewer users of Debian on the desktop than e.g. Ubuntu,
> so the issue of being identifiable by this is more concerning.
> 
> From my perspective as a user, yes, it's technically a non-Firefox
> browser. But from any website's perspective, it renders and processes
> HTML and JavaScript the same as Firefox of that version would; the
> user-agent isn't required to reveal anything more.
> 
> I'm not sure what else it would affect, though it seems the UA string
> is being generated in a "standard" way by code from upstream, so that
> would have to be patched.

An option i can see that could be reasonably upstreamed would be to have a
pref that turns the UA to the Firefox one without anything more.

> > > - The Gecko build date in the UA reported by Firefox releases is
> > > standardized as 20100101. Inclusion of the actual build date allows
> > > individual users, especially users of backports or of unstable releases, to
> > > be identified almost uniquely,. Firefox removed this ability in the fix for
> > > bug 572661, but Debian is continuing to build Firefox with an identifiable
> > > build date.
> >
> > Actually, it's not, but there's a bug that only affects esr. If you look
> > at e.g. iceweasel 23 on snapshot.debian.net, you should see
> > Gecko/20100101. Likewise in unstable and experimental. Aurora builds
> > from mozilla.debian.net don't use Gecko/20100101, but it looks like
> > upstream aurora builds do, despite that not matching what is in the
> > source tree. Must be something set on the build side.
> >
> > So all in all, this is mostly an ESR-only issue (also affecting
> > chemspills like 29.0.1), that is mostly fixed in unstable, and
> > essentially fixed in experimental (except for the Iceweasel part)
> 
> > Actually, since version 25 the Gecko version string is always
> > Gecko/20100101, whatever setup is used.
> >
> > https://bugzilla.mozilla.org/show_bug.cgi?id=728773
> 
> So I assume from that, it's also fixed for future ESR releases (31?)
> in testing/stable?

Indeed.

Mike



More information about the pkg-mozilla-maintainers mailing list