Iceweasel: User agent fingerprintability
nord-stream
nord-stream at ochaken.cf
Wed Jan 20 09:10:18 UTC 2016
Dear Maintainer,
I think that there is a privacy and security issue about the Iceweasel's
user agent string.
Iceweasel 38.5.0 (ESR) on amd64:
"Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Iceweasel/38.5.0"
Firefox 38.5.0 (ESR) on amd64:
"Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0"
In ESR, Firefox always says "38.0" regardless of the minor version and
this is *intentional*. Iceweasel does the same, except the
"Iceweasel/38.5.0" part. Mozilla found that presenting minor versions
can only benefit attackers and stopped advertising them. By knowing
minor versions attackers can tell the exact set of vulnerabilities. It
also make users more fingerprintable, which is bad for privacy. (This is
in contrast to Chromium, which is known for its badly created user agent
strings.) Fixing this for Iceweasel should be easy, so please do that.
It is part of Mozilla's important security features, which should also
be implemented on Debian versions.
In summary,
"Iceweasel/<major>.x.y" -> "Iceweasel/<major>.0"
Thank you,
--
nord-stream at ochaken.cf
More information about the pkg-mozilla-maintainers
mailing list