From 1fc7bc98beca642e75942c603beefa48c8698e31 Mon Sep 17 00:00:00 2001 From: ubestemt Date: Mon, 24 Apr 2017 14:06:01 +0000 Subject: [PATCH 1/6] Create w3m.md How to reduce the fingerprint of the text-based web browser w3m. --- configuration/w3m.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 configuration/w3m.md diff --git a/configuration/w3m.md b/configuration/w3m.md new file mode 100644 index 00000000..29198ad2 --- /dev/null +++ b/configuration/w3m.md @@ -0,0 +1,35 @@ +--- +layout: doc +title: Reducing the fingerprint of the text-based web browser w3m +permalink: /doc/w3m/ +redirect_from: +- /en/doc/mutt/ +- /doc/W3m/ +- /wiki/W3m/ +--- + +Reducing the fingerprint of the text-based web browser w3m +==== + +[w3m](http://w3m.sourceforge.net/) 'is a text-based web browser as well as a pager like `more` or `less`. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that). Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.' + +You can reduce the [fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by adjusting some settings to those of the Tor Browser Bunde (TBB) with JavaScript disabled. + +**BEWARE: As very few people use w3m for browsing chances are high that you will still be the only person with this fingerprint on your adversary's radar. Also, I am nothing but a wannabe security expert, so do not rely on my advise for anything critical.** + +Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TempVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`). + +* Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`. +* Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file: + + accept_language en-US,en;q=0.5 + accept_encoding gzip, deflate + accept_media text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + +Testing the settings on ( does not work) returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.* Thus by using these settings (and browsing through a torified connection) you will be distinguishable from TBB users, but, if my assumptions are correct, not from me. That is, whoever uses these settings will have the same fingerprint as anyone else using w3m with the same configuration, but for the time being I am probably the only one. (According to Browserprint.info only I have this fingerprint.) + +PS: You still need to delete cookies manually (`~/.w3m/cookie`) if you are not running w3m in a DispVM anyway. If you set w3m to not accept cookies, its fingerprint will change. (You can configure w3m to not use store cookies or accept new ones (or both), but the setting `use_cookie` seems to really mean `accept_cookie` and vice-versa, so maybe it is best to delete them manually for now.) + +* * * + +\* Does someone know how to fix this? From 016f87759908360dca0c367570c83ac5e3dfe6d8 Mon Sep 17 00:00:00 2001 From: ubestemt Date: Mon, 24 Apr 2017 14:09:14 +0000 Subject: [PATCH 2/6] Add link to yet-to-be-accepted w3m.md --- doc.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc.md b/doc.md index 3ac75eb4..fcb07669 100644 --- a/doc.md +++ b/doc.md @@ -151,6 +151,7 @@ Configuration Guides * [Managing VM kernel](/doc/managing-vm-kernel/) * [Salt management stack](/doc/salt/) * [Adding SSD storage cache](https://groups.google.com/d/msgid/qubes-users/a08359c9-9eb0-4d1a-ad92-a8a9bc676ea6%40googlegroups.com) + * [Reducing the fingerprint of the text-based web browser w3m](/doc/w3m/) Customization Guides From 4d0252cfd510c71e910795a722ff0da943b1df3c Mon Sep 17 00:00:00 2001 From: ubestemt Date: Fri, 28 Apr 2017 12:02:40 +0000 Subject: [PATCH 3/6] Rewrite to make clearer what is does and does not --- configuration/w3m.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/configuration/w3m.md b/configuration/w3m.md index 29198ad2..4eeb3908 100644 --- a/configuration/w3m.md +++ b/configuration/w3m.md @@ -5,28 +5,35 @@ permalink: /doc/w3m/ redirect_from: - /en/doc/mutt/ - /doc/W3m/ -- /wiki/W3m/ +- /wiki/W3m/t --- Reducing the fingerprint of the text-based web browser w3m ==== +TL;DR: You can reduce the amount w3m tells about itself and the environment it is running in (and, by extension, you). **It will not make you anonymous; your fingerprint will still be unique.** But it may improve your privacy. + [w3m](http://w3m.sourceforge.net/) 'is a text-based web browser as well as a pager like `more` or `less`. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that). Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.' -You can reduce the [fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by adjusting some settings to those of the Tor Browser Bunde (TBB) with JavaScript disabled. +You can reduce the browser [fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by adjusting some settings to those of the Tor Browser Bunde (TBB) with JavaScript disabled. -**BEWARE: As very few people use w3m for browsing chances are high that you will still be the only person with this fingerprint on your adversary's radar. Also, I am nothing but a wannabe security expert, so do not rely on my advise for anything critical.** - -Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TempVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`). +Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TemplateVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`). * Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`. + + (By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the TBB. One in fourteen browsers finderprinted by Panopticlick have this value.) + * Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file: accept_language en-US,en;q=0.5 accept_encoding gzip, deflate accept_media text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + + (These changes will hide your computer's locale and some other information that may or may not be unique to the VM in which it is running. With the modifications above the w3m will have the same headers as about one in fifteen browsers fingerprinted by Panopticlick.) + +Testing these settings on returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.\* ( does not work with w3m.) Due to the low number of w3m users it is highly likely that you will have an unique browser fingerprint among the visitors of a website using somewhat sofisticated browser fingerprinting technology. But at least your browser fingerprint will not reveal your computer's language settings or other specifics about it that could be contained in the HTTP_ACCEPT headers. And even if the browser you use may well be *inferred* from your fingerprint, it will not be explicitly stated in the User-Agent header. -Testing the settings on ( does not work) returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.* Thus by using these settings (and browsing through a torified connection) you will be distinguishable from TBB users, but, if my assumptions are correct, not from me. That is, whoever uses these settings will have the same fingerprint as anyone else using w3m with the same configuration, but for the time being I am probably the only one. (According to Browserprint.info only I have this fingerprint.) +**Reminder: Do not rely on these settings for anonymity. Using w3m is all but guaranteed to make you stand out in the crowd.** PS: You still need to delete cookies manually (`~/.w3m/cookie`) if you are not running w3m in a DispVM anyway. If you set w3m to not accept cookies, its fingerprint will change. (You can configure w3m to not use store cookies or accept new ones (or both), but the setting `use_cookie` seems to really mean `accept_cookie` and vice-versa, so maybe it is best to delete them manually for now.) From bac57503a3bb0e5f15de2073c9d7c5a494615bfc Mon Sep 17 00:00:00 2001 From: ubestemt Date: Fri, 28 Apr 2017 12:59:50 +0000 Subject: [PATCH 4/6] Minor edit. --- configuration/w3m.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/configuration/w3m.md b/configuration/w3m.md index 4eeb3908..76c7e6d4 100644 --- a/configuration/w3m.md +++ b/configuration/w3m.md @@ -11,17 +11,17 @@ redirect_from: Reducing the fingerprint of the text-based web browser w3m ==== -TL;DR: You can reduce the amount w3m tells about itself and the environment it is running in (and, by extension, you). **It will not make you anonymous; your fingerprint will still be unique.** But it may improve your privacy. +TL;DR: You can reduce the amount of information w3m gives about itself and the environment it is running in (and, by extension, you). **It will not make you anonymous; your fingerprint will still be unique.** But it may improve your privacy. [w3m](http://w3m.sourceforge.net/) 'is a text-based web browser as well as a pager like `more` or `less`. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that). Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.' -You can reduce the browser [fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by adjusting some settings to those of the Tor Browser Bunde (TBB) with JavaScript disabled. +You can reduce the [browser fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by making it (the fingerprint) more like that of the Tor Browser Bunde (TBB) with JavaScript disabled. Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TemplateVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`). * Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`. - (By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the TBB. One in fourteen browsers finderprinted by Panopticlick have this value.) + By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the TBB. One in fourteen browsers finderprinted by Panopticlick has this value. * Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file: @@ -29,9 +29,9 @@ Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m accept_encoding gzip, deflate accept_media text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 - (These changes will hide your computer's locale and some other information that may or may not be unique to the VM in which it is running. With the modifications above the w3m will have the same headers as about one in fifteen browsers fingerprinted by Panopticlick.) + These changes will hide your computer's locale and some other information that may or may not be unique to the VM in which it is running. With the modifications above w3m will have the same headers as about one in fifteen browsers fingerprinted by Panopticlick. -Testing these settings on returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.\* ( does not work with w3m.) Due to the low number of w3m users it is highly likely that you will have an unique browser fingerprint among the visitors of a website using somewhat sofisticated browser fingerprinting technology. But at least your browser fingerprint will not reveal your computer's language settings or other specifics about it that could be contained in the HTTP_ACCEPT headers. And even if the browser you use may well be *inferred* from your fingerprint, it will not be explicitly stated in the User-Agent header. +Testing these settings on returns a fingerprint that is destinguishable from that of the TBB (with JavaScript disabled) only by 'Screen Size (CSS)' and 'Browser supports HSTS?'.\* ( does not work with w3m.) Due to the low number of w3m users it is highly likely that you will have an unique browser fingerprint among the visitors of a website using somewhat sofisticated browser fingerprinting technology. But at least your browser fingerprint will not reveal your computer's locale settings or other specifics about it in the HTTP_ACCEPT headers. And while it may be inferred from your fingerprint that you use w3m, it is not be explicitly stated in the User-Agent header. **Reminder: Do not rely on these settings for anonymity. Using w3m is all but guaranteed to make you stand out in the crowd.** From 6d5a7e426e76c1e9327160b31a8122e1a3ac0e57 Mon Sep 17 00:00:00 2001 From: ubestemt Date: Tue, 9 May 2017 13:39:49 +0000 Subject: [PATCH 5/6] Minor edits. --- configuration/w3m.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/configuration/w3m.md b/configuration/w3m.md index 76c7e6d4..9586ef40 100644 --- a/configuration/w3m.md +++ b/configuration/w3m.md @@ -5,7 +5,7 @@ permalink: /doc/w3m/ redirect_from: - /en/doc/mutt/ - /doc/W3m/ -- /wiki/W3m/t +- /wiki/W3m/ --- Reducing the fingerprint of the text-based web browser w3m @@ -15,13 +15,11 @@ TL;DR: You can reduce the amount of information w3m gives about itself and the e [w3m](http://w3m.sourceforge.net/) 'is a text-based web browser as well as a pager like `more` or `less`. With w3m you can browse web pages through a terminal emulator window (xterm, rxvt or something like that). Moreover, w3m can be used as a text formatting tool which typesets HTML into plain text.' -You can reduce the [browser fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) of w3m by making it (the fingerprint) more like that of the Tor Browser Bunde (TBB) with JavaScript disabled. - -Apply the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. If you have not run w3m yet, you might need to copy the config file from elsewhere. You can also apply the same changes to `/etc/w3m/config` in the relevant TemplateVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`). +You can reduce the [browser fingerprint](https://panopticlick.eff.org/about#browser-fingerprinting) by applying the following changes to `~/.w3m/config` in any AppVM you want to use w3m in. (If you have not run w3m yet, you might need to copy the config file from elsewhere.) You can also apply the same changes to `/etc/w3m/config` in the relevant TemplateVM(s) to have them apply to multiple AppVMs; but make sure they are not reversed by the contents of `~/.w3m/config` in any of the AppVMs. (w3m reads `~/.w3m/config` after `/etc/w3m/config`). * Set `user_agent` to `user_agent Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0`. - By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the TBB. One in fourteen browsers finderprinted by Panopticlick has this value. + By default w3m identifies itself as `w3m/` + version number. The user agent `Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0` is the most common and the one used by the Tor Browser Bundle (TBB). One in fourteen browsers finderprinted by Panopticlick has this value. * Make w3m use the same HTTP_ACCEPT headers the TBB by adding the following lines at the end of the file: From d13f2a150b61080c0defdb64c56c697da69e6a70 Mon Sep 17 00:00:00 2001 From: ubestemt Date: Tue, 9 May 2017 13:41:04 +0000 Subject: [PATCH 6/6] Moved how-to to a more fitting section. --- doc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc.md b/doc.md index fcb07669..807a1177 100644 --- a/doc.md +++ b/doc.md @@ -124,6 +124,7 @@ Privacy Guides * [TorVM](/doc/torvm/) * [Martus](/doc/martus/) * [Signal](/doc/signal/) + * [Reducing the fingerprint of the text-based web browser w3m](/doc/w3m/) Configuration Guides @@ -151,7 +152,6 @@ Configuration Guides * [Managing VM kernel](/doc/managing-vm-kernel/) * [Salt management stack](/doc/salt/) * [Adding SSD storage cache](https://groups.google.com/d/msgid/qubes-users/a08359c9-9eb0-4d1a-ad92-a8a9bc676ea6%40googlegroups.com) - * [Reducing the fingerprint of the text-based web browser w3m](/doc/w3m/) Customization Guides