14 March 2010
added READONLY option to password wallet
Made an update to my password wallet. You can now have the READONLY attribute in your .walletrc file: this disables updates to the wallet (w/ the -e option). I keep my wallet in two places (work and home), and a cron job copies from work to home daily. So I need to make sure that I only update the wallet at work. I once updated it at home, and the next run of that cron job overwrote the update (a new password).
29 January 2010
panopticlick
I've seen several posts about the panopticlick project in the last few days. If you go to the panopticlick Web page and click the "test me" button, it'll tell you how identifiable your Web browser is. The idea is that it might be possible for someone to track your Web browsing based solely on certain characteristics of your Web browser (without using cookies or even IP addresses).
So I hit the "test me" page with several different kinds of browsers to see what kind of results I would get. The results are given below (all Firefox browsers below have the NoScript extension). In terms of security, these are like golf scores: you want low numbers in the second (BII="bits of identifying information") and third (NIF="number of identical fingerprints") columns. And in terms of security, being unique is bad (it makes it easy to identify you).
Firefox 3.6 on XP did pretty well, so I captured the HTTP request headers from that browser:
Then I installed the Modify Headers extension to Firefox on Ubuntu and set the User-Agent header to the value from the request headers above. After doing that, Firefox 3.6 on Ubuntu got panopticlick scores like Firefox 3.6 on XP.
An interesting side effect of this is that the Firefox Add-Ons site uses the User-Agent header. So if you do this and want to add extensions later, you will probably need to disable the header. And I've just done this today, so I don't yet know what effect this will have on updating extensions.
So I hit the "test me" page with several different kinds of browsers to see what kind of results I would get. The results are given below (all Firefox browsers below have the NoScript extension). In terms of security, these are like golf scores: you want low numbers in the second (BII="bits of identifying information") and third (NIF="number of identical fingerprints") columns. And in terms of security, being unique is bad (it makes it easy to identify you).
browser/platform | BII | NIF |
---|---|---|
MSIE7 on XP | 17.64 | unique in 204,788 |
Firefox 3.6 on XP | 8.62 | one in 392 |
Firefox 3.6 on Ubuntu | 12.64 | one in 6,364 |
MSIE6 via wine on Ubuntu | 17.66 | unique in 207,713 |
lynx on Ubuntu | 14.67 | one in 26,001 |
elinks on Ubuntu | 17.67 | unique in 208,111 |
wget on Ubuntu | 9.57 | one in 761 |
curl on CEntOS | 17.67 | unique in 208,688 |
Firefox 3.6 on XP did pretty well, so I captured the HTTP request headers from that browser:
GET / HTTP/1.1
Host: vmware:8000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Then I installed the Modify Headers extension to Firefox on Ubuntu and set the User-Agent header to the value from the request headers above. After doing that, Firefox 3.6 on Ubuntu got panopticlick scores like Firefox 3.6 on XP.
An interesting side effect of this is that the Firefox Add-Ons site uses the User-Agent header. So if you do this and want to add extensions later, you will probably need to disable the header. And I've just done this today, so I don't yet know what effect this will have on updating extensions.
Subscribe to:
Posts (Atom)