When is someone going to write a browser that can spoof its math engine and supported ciphers?

tls spoofing is an issue
>look like windows
>can only use broken windows suites
>one broken rc4 suite windows has on is the only thing the site supports

If you spoof all the things your browser fingerprint becomes even more unique. The best you can do is use Tor browser with default settings except for security level turned all the way up.

That's a cope, not a solution. Tor Browser sucks, mainly due to only supporting webextensions. We need a browser that spoofs everything to look like a completely different browser, even with Javacscript activated. Like the Secret Agent extension, but on crack.

durrrrrrrrrrrrr

Rude.

P996
So you want to spoof firefox or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome or chrome ...

P996
Easiest way would probably be to randomly switch rendering engines for each page load. There's no way you're going to be indistinguishable from browser X with Javascript enabled unless you're actually running the same code.

Brave does randomized fingerprint. Tor thinks everyone should look the same, brave thinks you should constantly change, who is right

P1093
neither they both depend too much on adoption to beat the dataset
might as well make the standards force this shit
its still better looking like a possible slight positive than not but splitting hairs is effectively snake oil

why do browsers even send these fingerprints in the first place?

To flash their capabilities like css or js to http servers. Just like street whores.

P1422
According to https://datatracker.ietf.org/doc/html/rfc1945 the reason for the User-Agent header was
>This is for statistical purposes,
>the tracing of protocol violations, and automated recognition of user
>agents for the sake of tailoring responses to avoid particular user
>agent limitations.
The User-Agent header was ultimately a disaster, with lots of browsers spoofing each other.

Then there are things like the Accept header, which advertises the kinds of file formats the browser can handle. It's used by many sites to decide whether to send you a WebP instead of a JPEG to save a few bytes of bandwidth.

But some parts of a browser's fingerprint are unintentional, and are just the result of slight differences in behavior between browsers.

The server should be announcing its capabilities to the browser, not the other way around. If the server's capabilities exceed the browser, then the user can decide which action to take, i.e. change/upgrade browser or refuse to use the incompatible site/server.
Browsers leaking metadata is 100% intentionally done in bad faith. Don't believe any other offered (((explanation))).

"Be flexible in what you accept" is a terrible philosophy if you want to avoid fingerprint-able differences.

P1429
I don't think that fixes the issue. If the browser doesn't know how to deal with a feature, the server may be able to tell that the browser lacks the capability by the lack of follow-up requests. Although this suggests a solution: The browser shouldn't be automatically making follow-up requests at all. Instead everything needed to render a page ought to be delivered in a single response to the query for the page.

P1432
I can definitely see how this could cause a tension between privacy and pages "just working." But maybe "be flexible in what you accept" isn't as helpful as it's commonly thought to be. There does seem to be a move away from this philosophy in HTML parsing, first with the attempt at getting XHTML to take off, and then when that largely didn't happen, having the specification say exactly how you're supposed to parse broken HTML.

>everything needed to render a page ought to be delivered in a single response to the query for the page.
That used to be the case until (((embrace, extend, extinguish)))

P1454
As far as I know the web didn't initially have the capability I'm talking about. You can do it now with data: URIs, but it's awkward for large files and delivers the content in the wrong order (text ought to load before images). The big disadvantage is that it breaks caching. Of course if you wanted to make anti-tracking your #1 priority above all else, you'd have to get rid of caching because it too can be used to track users.

P1456
HTTP/2 has a better version
https://en.wikipedia.org/wiki/HTTP/2_Server_Push
but it still has the issue of re-sending files to the client that is already has cached.

Isn't RC4, SSL3/TLS1.0 ?

No one uses this anymore and it's disabled by default.

Gopher protocol doesn't have a browser-volunteering-things-about-itself step, you just send an item specifier string and the server sends back what was specified.
There was the idea of allowing clients to modify requests by adding additional strings after the request-finishing crlf, but you might as well just have different items so this was never adopted.
Relatedly, gopher does not have a mechanism for https. This is a feature as this thread indicates, and gemini's modification of gopher to just be web again is not good.

P1093
>brave
ISHYDDT

P1427
so it's basically to optimize on different browsers

Gemini or bust!
https://gemini.circumlunar.space/

can you do gemini over tor or i2p?

P4795
gemini actually sucks (not that fluffy), as i read on some gemini page that there is a conflict of parties between supporters in-protocol cryptography handling and who thinks otherwise. situation is something like competing DoH, DoT and others. will gemini be supported by mozilla trannies? i'd rather poromote gopher.

Identical vs random fingerprint, tor took the identical because imo its easier than wondering if random is truly random and if that will break more stuff. Its the same reason they leave js fully enabled by default, to make everything work even though its stupid unsafe and allows fingerprinting.

Brave does random but cant or hasnt done everything random yet leaving users still fingerprinted, and some things are randomized on windows but not linux, its a clusterfuck that doesnt really work.

P4844
Post that somewhere other than here.

P4844
Giving everyone an identical random distribution of fingerprints could be slightly better in theory than giving everyone a single identical fingerprint, in the situation where there's a lot of different implementations and no hope of getting them all to coordinate. With the random approach, it's possible that someone trying to fingerprint you could mix up two different implementations without the implementations having to coordinate with each other. Of course if you have bugs like
>some things are randomized on windows but not linux
it's a broken system that's actually making things worse.

Everyone should just use Google Chrome and not change any settings then fingerprinting wouldn't be a problem :)

>hurr durr why dont they just fix one of the 10,000 fingerprinting vectors?
typical retard /g/ autist OP

>Everyone should just use Google Chrome and not change any settings than fingerprinting wouldn't be a problem :)
Everyone should block everything by default and selectively allow scripts via uMatrix, use Tor or I2P, and avoid all Cloudflare websites and then fingerprinting wouldn't be a problem ^_^

P5224
Everyone should block all JavaScript, always, and never allow it via anything, use airgapped systems that aren't connected to the Internet, using a separate device which forces all traffic over Tor as a buffer, and avoid using any website when possible and then fingerprinting wouldn't be a problem.

P5225
Everyone should burn themselves to ashes, eliminating all possibility of digital or physical forensics, and then fingeprinting wouldn't be a problem.

P5226
Everyone should go back in time to kill their own mothers before they're conceived, eliminating their existence, and therefore all possibility of digital or physical forensics, and then fingerprinting wouldn't be a problem.

P5224
>avoid all Cloudflare websites
This but unironically. Tor and i2p prevent the sort of classical DDoS attacks. Of course this does come with the downside of when someone actually pulls off a DDoS attack of such a magnitude the whole Tor network suffers...

>f-f-f-f-f-FINGERPRINTS!!!!!!!!
just use anon stuff that ain't gay ffs, you'll be good

P5224
Go back to nanochan, ponyfaggot

P4806
Gopher is cool for what it is, but what should we use when we want user interaction?

P5303
Gopher is uniquely suitable for the modern internet over tor and i2p, since they handle security aspects of gopher's simple tcp connection, obviating legitimate uses of https.
<User interactivity:
The feature/"problem" is that gopher protocol doesn't let the server query/run anything on the client. The client initiates a tcp connection then sends a request and the server answers and that's it.
Gopher item type 7 is understood and generally implemented as being for general purpose CGI: The client sends its own message along with the item specifier. These are called moles.
There's also + for mirror/alternate servers, as has become standard between onion and i2p for places like l+j.
<You reeeeeally want some back and forth
There's item type 8 for telnet and T for tn3270, if you wanted them. I've never seen them in the wild and I don't know anything about telnet protocol. Has anyone used this/seen it used (and in what decade)?
P5227
This post brought to you by nanochan spacing

could i do my banking over gopher?

P5394
>Gopher item type 7 is understood and generally implemented as being for general purpose CGI: The client sends its own message along with the item specifier. These are called moles.
It's pretty limited compared to HTTP forms. Look for example at the people who have tried implementing imageboards on gopher. It can be done, but they use hacks like uploading images from URLs in a separate action from making a text post.

P5416
I think you could do it in principle if your bank offered it, but the moment you needed to do anything interactive like initiate a money transfer between accounts, it would get really inconvenient really fast.

Have gopher development stopped?

P5510
Yes it stopped 30 years ago with RFC1436. There was a set of ideas for unnecessary addons that violated the original principles named gopher+, but it was ignored. The gist was that the client would keep sending information after the CRLF that finishes the item specifier to provide context to the server: But you might as well just have a different item specifier.
P5416
A gopher connection to an onion or i2p address would be much safer and more private than an https clearweb connection.
Ignoring P5419's point that web-style text image embedding sucks, their point that gopher specifically forbids interactibility means gopher protocol has no way of getting a (yes-or-no-p "Delete your monero private key?").
Which leads us back to P5494 : Gopher has a solution for interactability. Item types 8 and T are in effect- the item specifier is asking "give me a telnet session" or "give me a tn3270 session" [for interactibility]. I don't know what those are like. I'm vaguely aware nc(1) says it's like telnet(1) but scripts nicely and reports errors better. tn3270 is an attempt to provide a more sophisticated shell in the spirit of telnet, that is not like telnet(1) I think.
So for your banking there would be something like on the server:
TBanking session start-tn3270 monerobank.i2p 70
and the server would provide you a whatever tn3270 is interactive connection to (yes-or-no-p) your banking or w/e. tn3270 is its own thing; you are just requesting by gopher to get a connection like that.
telnet, like gopher does not include good cryptographic practices in its spec. This is smart, because reasonable practice quickly changes. Instead the crypto comes via i2p, whose job it is to make point to point communication private and safe.

/r/ does anyone have a reference for tn3270. I will have a look at telnet(1) and maybe make something.

P5548
I guess it's this RFC. https://www.rfc-editor.org/rfc/rfc1576 though there are many later RFCs for Enhancement like https://www.rfc-editor.org/rfc/rfc2355

P5394
So tor over gother is possible? If it is,then what the hell are we doing here?
Sorry for retardation.

P5650
Herd behavior? There was also this moment where one of the people that believed in freedom in a more anarchic way called some people that believed in freedom in a more libertarian way a Nazi over a joke in a way that affected tech media at the time, so there were drops of bad blood.
What is the gopher onion initiative? If inferiorchan stays dead we should go check over there, or start a colony in i2p in a similar way.

P5650
I read someone experimenting with this before. I might try an unlicensed knock-off of their code.

P5394
I've been saying this for ages now. Gopher is the perfect protocol for publishing static content over tor. Anything else can be done in a different protocol.
>online banking
Why? Use monero.
>anonymous discussion
Hidden usenet heirarchy
P5650
Yes. What the hell are we doing here? We should have a directory of hidden gopherholes by now.

I'm going to debase this thread into my personal blog of digging a burrow and introducing a colony of gophers to i2p.
Some notes:
i2p: There's already the gopher onion initiative, who are not us.
The de facto 2? developer modern gopher server is gophernicus, which can be built for openbsd inetd with some odd unveil(2) and pledge(2)s.
This is pretty good, but it doesn't look enough like openbsd httpd.
So I'm:
1. tangentially, going to read that book someone published on web hosting openbsd
2. formally modelling relevant trivial behaviors of gophernicus
3. " openbsd httpd
4. Hard fork gophernicus and/or openbsd httpd using an axe
4. consciously breaking support with all non-openbased systems.
Will post weekly updates into this bread, if OP will forgive my subversion. I'm going to ballpark it at 4 weeks until airborne.
Comments, criticism welcome.
Other notes:
Lynx is the de facto browser for gophernicus (alternative to firefox plugin), though it extremely sucks and needs to be replaced. It runs a trivial conversion of text files into html, and then browses the html.

authorship- having a targettable author is a weakness. any and all creation is credited to an anonymous hacker. Read the code

*The book is Httpd and Relayd Mastery. God I'm less dumb already

P6202 sadly, the book didn't say anything else interesting to me after chapter 2.
Chapter 3 is a long spoken word version of patterns(7), then it talks about running wordpress sites in chroots, and then about relayd(8) load balancing. It's a good autobiography of a sysadmin though. I think he was playing a scripting-languages-I-hate version of Mornington Crescent. sh .. lua .. PHP .. ansible
So I guess I know a bit more about how httpd looks from the front, now to inspect its backend.
Afterward: >a lack of features /is/ a feature. Enjoy your peace and quiet.

P6199
>Lynx is the de facto browser for gophernicus
lol wat? i mostly see sacc(1) being recommended, and i find it much better than lynx to browse gopherspace. i also tried another one that i forgot the name, it was very quaint, it ran on the command line (no curses interface)
also there is another server called geomyidae that i use
i havent used gophernicus because when i was looking for a gopherserver i found geomyidae, and i can build with a simple `make`, unlike gophernicus that uses `./configure` autism
generally i find that ./configure is a sign of bloatware, simple software needs at the most extreme case one make recipe for each OS
geomyidae for example has the option to build it with or without without TLS support depending on which flags you set
tbh i dont even know what exactly ./configure is, i think it is something from autoconf (which i have only ever heard bad things about) that autogenerates a makefile, and i think this is dumb because you are autogenerating a thing that will then autogenerate an executable. why not autogen the exec directly?

P5901
>>anonymous discussion
>Hidden usenet heirarchy
Does anything like this exist already? Certainly there are ways to post to Usenet anonymously, but given that it's normal to post non-anonymously, and anyone still using it is desperately trying to filter out the spam, you're likely to be filtered by people's killfiles if you try to post to the Big 8 that way. I've seen alt.anonymous.messages, but it's all walls of PGP-encrypted text.

I think that sdf (if I knew what sdf was) uses gophernicus [gopher mole cgi]. Further, gophernicus has included some openbsd niceties, however awkwardly and as they say in their readme, you know, change unveil to what you want - hence the human-in-the-loop build, I think.
On the openbsd ports gophernicus build -> /usr/local/share/doc/gophernicus/README it suggests Firefox with OverbiteFF or else Lynx. That web book's author also liked Lynx funnily enough.
I see sacc in the ports tree, I will have a look at it too. sacc seems to be a gopher browser, whereas Lynx is an ancient kitchen sink terminal browser.
Gophermyidae I heard of somewhere too though I don't see it in ports. Is that what they like over at the onion gopher-people?

i remembered the suckless (no relation) gopher browser: cgo(1)
check it out too
>sacc seems to be a gopher browser, whereas Lynx is an ancient kitchen sink terminal browser.
yea the reason i prefer sacc is because it was made specifically for gopher, so its way comfier for that than lynx
>Is that what they like over at the onion gopher-people?
i think so
i downloaded it off the bitreich.org's onion service, they have this directory called The Gopher Onion Initiative and there they recommend geomyidae as a server
it is a weird program because it doesnt have a config file, you configure it with command line arguments when you invoke, i just modified the init service they provided to read envvars off a file and use those as arguments
they tell you to use lynx there but i think it is because thats what people commonly have, on a different section they recommend sacc and clic (another client) to browse
i havent test clic, i dont remember what was it about it that bothered me, but whatever sacc is good enough for me, im not gonna waste my time with other clients unless they have something outstanding to show
i modified sacc to have it show more information on the status bar, it was pretty fun hacking it
i like software like that with a sauce thats easy to understand
anyway, try it out
torsocks git clone git://enlrupgkhuxnvlhsf6lc3fziv5h2hhfrinws65d7roiv6bfj7d652fid.onion/sacc/
or download it off the ports idk
have you seen their gopherhole yet? gopher://enlrupgkhuxnvlhsf6lc3fziv5h2hhfrinws65d7roiv6bfj7d652fid.onion
oh i dont know any gophers that pee, tell me some too
maybe openbsd doesnt have cgo, so here it is https://github.com/kieselsteini/cgo/archive/refs/tags/v0.6.1.tar.gz [spoiler: yikes, github, i know]

oh wait it was geomyidae that you couldnt find, sorry
torsocks git clone git://enlrupgkhuxnvlhsf6lc3fziv5h2hhfrinws65d7roiv6bfj7d652fid.onion/geomyidae/

Thanks for the links, I've never actually gone beyond the front page of their onion gopherhole because I didn't really think of a good way for me to use their IRC. I post on anonymous forums rather than live chats.
According to my todo list, next I'm meant to make a trivial behavioral model of some of the gopher server suspects.
Do you know if gophermyidae supports being run via inetd? If it does I'll cram it into the ensuing week too. And I'll try changing gopher browser by moonlight.
What do you think about i2p and/or/versus https? I don't ever want "exit node" traffic, so I could care less about that, but what about wanting to use https to encrypt traffic /to/ the socks5 proxy over a network. The gophernicus people add stunnel to running their gophers to get normal https crypto. I kind of want to say that if you're sending unencrypted traffic across a network irresponsibly it's not really my business.

>a trivial behavioral model of some of the gopher server suspects.
huh?
>inetd
eh?
>changing gopher browser by moonlight
@_@

P6296
>What do you think about i2p and/or/versus https?
pretty comfy, like over tor
gopher was basically made for i2p
no encryption, but i2p is e2ee so it doesnt matter (would even be redundant), and very low bandwidth usage
>I don't ever want "exit node" traffic
yea leave that meme for tor
>https to encrypt traffic /to/ the socks5 proxy over a network
the proxy already takes care of the encryption, so why bother? plus, i2p's b32 address already take care of identity verification, so double pointless
has the tls madia already gotten into issuing .b32.i2p certificates? god i hope not
>The gophernicus people add stunnel to running their gophers to get normal https crypto.
wtf with the ./configure autism i thought they at least supported encryption
i mean, sacc has tls support so i figured some gopher servers independently implemented gophers://
>I kind of want to say that if you're sending unencrypted traffic across a network irresponsibly it's not really my business.
but im a hackerino, so it very much is my business wink wink

Is there a way to tell sacc to use less for text documents instead of more?

P8249
You will have to edit the sauce. But it's pretty easy. Or use gayteways like a normal person, gopher is good for nothing anyway.

P8249
yes you can do it like P8250 said and edit the sauce directly or you could have just read and see that it calls the $PAGER environment variable when opening a text, so just set PAGER to less before calling sacc
but personally i just made it a variable on config.h
btw another annoying thing with sacc is the buffer size, it wont work if the gophermap you are trying to load is bigger than that
what i did was just define my own BUFFER_SIZE in config.h and replace every BUFSIZ in the source with it, so that it allocates enough memory for large holes

>Do you know if gophermyidae supports being run via inetd?
I've written such a program; here's the necessary information, over Gopher:
gopher://verisimilitudes.net/12019-03-30

The sacc client or whatever isn't so great; that's the Common Lisp client, right? I greatly improved it, as it was terribly written, but none of my changes were accepted due to being AGPLv3 and I later discarded them. Emacs clients are better.

P8307
>The sacc client or whatever isn't so great; that's the Common Lisp client, right?
no, i think thats the other one
sacc is written in C

P8307
Gopher client:
gophuckyourself() { u=${1#gopher://}; echo /${u#*/?/} | nc ${u%%/*} 70; }

Gopher inetd server:
70 stream tcp nowait nobody /bin/cat cat /var/gopher/${1##*/}

P54205
Ok so I'm retarded and fucked up the server. But it's nearly as simple. Obviously you're reading the selector on standard input not from argv.
#!/bin/sh
# in /usr/local/bin/poo
read sel
cat /var/gopher/${sel#*/}
# in /etc/inetd.conf
70 stream tcp nowait nobody /usr/local/bin/poo poo