Re: Making package.el talk over Tor

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > 185.220.101.26 - - [14/Dec/2023:13:04:00 +0100] "GET /test HTTP/1.1" 301 
169 "https://amodernist.com/"; "URL/Emacs Emacs/30.0.50 (PureGTK; 
x86_64-pc-linux-gnu)"

  > As you can see the User-Agent indicates that I am using Emacs, what
  > version and even my architecture.  Compare that to the user agent that
  > you'd regularly encounter from an average browser:

We should (1) let users specify what User-Agent to send, and (2) maybe
choose a different default.

Icecat, by default, identifies itself as some widely used proprietary
browser running on Windows.

  > Other than the user-agent, there are certainly other bits of behaviour
  > that a malicious actor can use to track a user, such as the order in
  > which HTTP headers are transmitted, the size of chunks by which the
  > client sends and receives data and of course what requests aren't being
  > sent (e.g. due to a lack of Javascript in EWW).

We could work on making Emacs-based browsing more similar to the most
common browsers, in such aspects of visible behavior.

  >  and of course what requests aren't being
  > sent (e.g. due to a lack of Javascript in EWW).

Compareed with the harm done by _running_ the page's Javascript,
giving evidence of not running Javascript is arguably a far lesser
evil.

That said, one important method for preventing sites from effectively
profiling you is to connect to them through Tor.  In fact, connecting
directly enables OTHERS that observe your network traffic to figure
out what you are talking to!

That is why I want to connect to the Emacs package repo via Tor.
I am not worried about being profiled by the Emacs package repo!

More generally, if all that distinguishes you in the actual
interaction with a site is that you don't run the Javascript, and you
connect through Tor, whatever site you are talking to will have
trouble distinguishing you from other users that don't run the
Javascript.

  > That being said: All of this doesn't matter that much for package.el,
  > since most people are accessing it via Emacs.

I agree.  However, these issues may have some real importance for the case
of using EWW to look at pages _other than_ the Emacs package repo.


-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)