[or-cvs] r14240: somebody should write a research/position paper on this rota (website/trunk/en)

[arma at seul.org]

Author: arma
Date: 2008-03-30 04:37:35 -0400 (Sun, 30 Mar 2008)
New Revision: 14240

Modified:
   website/trunk/en/volunteer.wml
Log:
somebody should write a research/position paper on this
rotating UserAgent idea that keeps coming up.


Modified: website/trunk/en/volunteer.wml
===================================================================
--- website/trunk/en/volunteer.wml	2008-03-30 04:10:29 UTC (rev 14239)
+++ website/trunk/en/volunteer.wml	2008-03-30 08:37:35 UTC (rev 14240)
@@ -1091,6 +1091,23 @@
 <li>It's not that hard to DoS Tor relays or directory authorities. Are client
 puzzles the right answer? What other practical approaches are there? Bonus
 if they're backward-compatible with the current Tor protocol.</li>
+<li>Programs like <a
+href="https://torbutton.torproject.org/dev/">Torbutton</a> aim to hide
+your browser's UserAgent string by replacing it with a uniform answer for
+every Tor user. That way the attacker can't splinter Tor's anonymity set
+by looking at that header. It tries to pick a string that is commonly used
+by non-Tor users too, so it doesn't stand out. Question one: how badly
+do we hurt ourselves by periodically updating the version of Firefox
+that Torbutton claims to be? If we update it too often, we splinter the
+anonymity sets ourselves. If we don't update it often enough, then all the
+Tor users stand out because they claim to be running a quite old version
+of Firefox. The answer here probably depends on the Firefox versions seen
+in the wild. Question two: periodically people ask us to cycle through N
+UserAgent strings rather than stick with one. Does this approach help,
+hurt, or not matter? Consider: cookies and recognizing Torbutton users
+by their rotating UserAgents; malicious websites who only attack certain
+browsers; and whether the answers to question one impact this answer.
+</li>
 </ol>
 
 <p>