tags 314865 wontfix thanks * [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: > Package: mozilla-firefox > Version: 1.0.4-2 > Severity: normal > > > what should be in user-agent? imho it is beyond its scope to reveal > linux distribution and package version. they are not necessary for > servers to support the operation of the browser.
It is not necessary, but it can be interesting to get this information, especially if a website is interested in how many users are Debian users. > if there has been discussion before, i still think it should be in the > bts. > > relatively few people use debian and a particular package version, so > the information thus contained is far higher than if such details are > not included. this allows an attacker to identify a user with high > probability. identity theft and other malicious data collection are > real problems that are exacerbated by an uncommon user agent string > that contains information unnecessary to the operation of the browser. > there are, of course, other privacy issues. this is just one. > > imagine that a particular package version or debian itself is > temporarily insecure, even if the ff version is not. every click now > advertises that. To my knowledge that has never happened, and the opposite case is far more likely, so this is a bit of non-starter. I don't really think an attacker will go and say "Well the User-Agent says it's version X, so I won't bother trying the exploit". They tend not to be this courteous. Apache does a similar thing by default with it's ServerTag directive, I don't see anyone freaking about it. > the user can change the string, but imho it is important to have the > default be considered carefully. > > perhaps the person who customized user agent has carefully thought of > these issues and. for whatever reason, doesn't think of them as a > problem. > > but because many people *do* think of them as a problem, i would like > for this bug report to continue to exist, even if the maintainer > disagrees that it is a problem, for open discussion. -- Eric Dorland <[EMAIL PROTECTED]> ICQ: #61138586, Jabber: [EMAIL PROTECTED] 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------
signature.asc
Description: Digital signature
