From 18cfc9a7c6e6508742b0cb8cbb0e275dc791c6d3 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Tue, 9 Aug 2016 16:42:37 +2000 Subject: [PATCH] [PATCH] Omit User-Agent: header by default --- d8/b5deab76ad67054b0310776b2e91b00b5138ca | 87 +++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 d8/b5deab76ad67054b0310776b2e91b00b5138ca diff --git a/d8/b5deab76ad67054b0310776b2e91b00b5138ca b/d8/b5deab76ad67054b0310776b2e91b00b5138ca new file mode 100644 index 000000000..29d87dd27 --- /dev/null +++ b/d8/b5deab76ad67054b0310776b2e91b00b5138ca @@ -0,0 +1,87 @@ +Return-Path: +X-Original-To: notmuch@notmuchmail.org +Delivered-To: notmuch@notmuchmail.org +Received: from localhost (localhost [127.0.0.1]) + by arlo.cworth.org (Postfix) with ESMTP id E0C4F6DE026C + for ; Mon, 8 Aug 2016 13:42:53 -0700 (PDT) +X-Virus-Scanned: Debian amavisd-new at cworth.org +X-Spam-Flag: NO +X-Spam-Score: -0.053 +X-Spam-Level: +X-Spam-Status: No, score=-0.053 tagged_above=-999 required=5 + tests=[AWL=-0.053] autolearn=disabled +Received: from arlo.cworth.org ([127.0.0.1]) + by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) + with ESMTP id wRdvspJLxYUA for ; + Mon, 8 Aug 2016 13:42:45 -0700 (PDT) +Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) + by arlo.cworth.org (Postfix) with ESMTP id 860136DE0188 + for ; Mon, 8 Aug 2016 13:42:44 -0700 (PDT) +Received: from fifthhorseman.net (unknown [38.109.115.130]) + by che.mayfirst.org (Postfix) with ESMTPSA id 57155F98B + for ; Mon, 8 Aug 2016 16:42:42 -0400 (EDT) +Received: by fifthhorseman.net (Postfix, from userid 1000) + id 709271FE91; Mon, 8 Aug 2016 16:42:37 -0400 (EDT) +From: Daniel Kahn Gillmor +To: Notmuch Mail +Subject: [PATCH] Omit User-Agent: header by default +Date: Mon, 8 Aug 2016 16:42:37 -0400 +Message-Id: <1470688957-30562-1-git-send-email-dkg@fifthhorseman.net> +X-Mailer: git-send-email 2.8.1 +X-BeenThere: notmuch@notmuchmail.org +X-Mailman-Version: 2.1.20 +Precedence: list +List-Id: "Use and development of the notmuch mail system." + +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +X-List-Received-Date: Mon, 08 Aug 2016 20:42:54 -0000 + +The User-Agent: header can be fun and interesting, but it also leaks +quite a bit of information about the user and their software stack. + +This represents a potential security risk (attackers can target the +particular stack) and also an anonymity risk (a user trying to +preserve their anonymity by sending mail from a non-associated account +might reveal quite a lot of information if their choice of mail user +agent is exposed). + +This change also avoids hiding the User-Agent header by default, so +that people who decide they want to send it will at least see it (and +can edit it if they want to) before sending. + +It makes sense to have safer defaults. +--- + emacs/notmuch-mua.el | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/emacs/notmuch-mua.el b/emacs/notmuch-mua.el +index 1ca8056..f3a4e5a 100644 +--- a/emacs/notmuch-mua.el ++++ b/emacs/notmuch-mua.el +@@ -62,7 +62,7 @@ disabled: this would result in an incorrect behavior.")) + (const :tag "Compose mail in a new window" new-window) + (const :tag "Compose mail in a new frame" new-frame))) + +-(defcustom notmuch-mua-user-agent-function 'notmuch-mua-user-agent-full ++(defcustom notmuch-mua-user-agent-function nil + "Function used to generate a `User-Agent:' string. If this is + `nil' then no `User-Agent:' will be generated." + :type '(choice (const :tag "No user agent string" nil) +@@ -73,7 +73,7 @@ disabled: this would result in an incorrect behavior.")) + :value notmuch-mua-user-agent-full)) + :group 'notmuch-send) + +-(defcustom notmuch-mua-hidden-headers '("^User-Agent:") ++(defcustom notmuch-mua-hidden-headers nil + "Headers that are added to the `message-mode' hidden headers + list." + :type '(repeat string) +-- +2.8.1 + -- 2.26.2