Re: Making package.el talk over Tor

[Philip Kaludercic]

Richard Stallman <rms@gnu.org> writes:

>   >  because one will continue to leak fingerprintable
>   > metadata (specially inside of Emacs)
>
> Could you give me an example of what you mean?

As mention in my other message, I was testing what my web server was
logging when accessing the server via Tor, and this was the log entry:

185.220.101.26 - - [14/Dec/2023:13:04:00 +0100] "GET /test HTTP/1.1" 301 169 
"https://amodernist.com/"; "URL/Emacs Emacs/30.0.50 (PureGTK; 
x86_64-pc-linux-gnu)"

As you can see the User-Agent indicates that I am using Emacs, what
version and even my architecture.  Compare that to the user agent that
you'd regularly encounter from an average browser:

31.10.139.153 - - [14/Dec/2023:00:18:33 +0100] "GET / HTTP/1.1" 200 10585 "-" 
"Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/120.0.0.0 Mobile Safari/537.36"

This can be remedied by setting the `url-privacy-level' user option to
'paranoid, but in that case you are still identifiable because there is
no user agent, which carries some information.

Other than the user-agent, there are certainly other bits of behaviour
that a malicious actor can use to track a user, such as the order in
which HTTP headers are transmitted, the size of chunks by which the
client sends and receives data and of course what requests aren't being
sent (e.g. due to a lack of Javascript in EWW).

The EFF has more information on the topic here:
https://coveryourtracks.eff.org/learn.

That being said: All of this doesn't matter that much for package.el,
since most people are accessing it via Emacs.