Dev/sdwdate
From Whonix
< Dev
An optimization problem. There are conflicting goals.
- goal: Saving remote server resources → implementation: use
HEAD
(implemented)- (similar to
curl --head HEAD
) - is what sdwdate uses.
- Tails discussed using
GET
instead ofHEAD
for Tailshtpdate
but rejected that. [archive]
- (similar to
- goal: Fingerprinting resistance at remote server level. → implementation: Hide outdated user agent version numbers (not implemented)
- similar to
--user-agent curl
or even a fake user agent. - Disadvantage being that this user agent makes use really unique.
- Hiding version number might not help with security either. If a user was running a vulnerable version, an adversary could just try out every exploit independent of version number in user agent. The only solution are timely software upgrades by the user.
- Tails-dev - Faking htpdate user agent worth it? [archive]
- similar to
- goal: Maximization of security of sdwdate (implemented) → implementation: use most remote code execution resistant backend (such as
curl
vs full web browser vs python3 requests) forurl_to_unixtime
- Use python3 requests since (implemented in memory safe python3 code) instead of curl (implemented in unsafe memory language C).
- goal: Maximization of fingerprinting resistance from viewpoint of remote server → implementation: emulate being a full browser by using selenium or similar. (not implemented)
- Convincingly emulating being a browser is impossible. Changing the user agent is insufficient. The only way of convincingly emulating being a browser is to actually run a browser.
- Running a full browser inside sdwdate however would mess up security. Also very difficult to implement. Running a full browser GUI with an invisible X server and then somehow only exacting HTTP DATE header from the GUI. Also might actually worsen the web fingerprint of sdwdate since sdwdate would fetch and run any tracking (google analytics) script that the remote server has. Then also which browser? Tor Browser + selenium? Keep that browser updated. Seems way too complex to implement.
A compromise had to be made. Priority goals had to be chosen. Maximization of security of sdwdate and saving remote server resources was chosen.
Footnotes[edit]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Did you know that Whonix ™ could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.