My threat model is the general data broker fingerprinting concern while using a specific website that blocks Tor, but I don’t feel comfortable enough with VPN + Mullvad Browser alone. But since that website offers an API key to logged in users, I thought of an idea to my concern.
In theory, if I download the file through a terminal application (it can use a web-UI to view it) or even just wget, wouldn’t the only information of me visible to the site being just the IP address (can use VPN) and the API key? (Again, I don’t couldn’t find any information on this specific topic)
I’m aware that this idea is at best pseudonymous due to the API key being tied to the logged in account, but this website requires you to be logged in anyway in order to be able to download anything from it, so it’s not much of a loss I guess. Also, it could maybe be safer than directly accessing the website through a web browser due to web browsers generally being the most vulnerable point of attack (even for a simple threat model like mine)?
I thought it would be better to make a new post because it changes the tone of the previous post, and could potentially help someone else searching about a similar topic in the future. For more context
Your terminal app may still send user agent to the server (Example: User-agent - everything curl), which lets the server know of what client you used. You can remove it completely or send a fake one instead, but chances are you would stand out amongst the crowd. One benefit I can think of is that you won’t be making queries to any endpoints you are not aware of in the process of loading website resources (such as images).
Admittedly, I can’t say if IP, user agent and API key are the only thing server would know, but I can’t think of anything else they can learn directly from the request. However, from IP, they can tell which VPN you are using, and from the API key they can figure out the account associated with it.
Even if the crowd was smaller and it sent something like user agent like you said, I’d imagine it would still be a much smaller number of factors *compared to a web browser) that could be used to associate the data with a specific user outside of that website. Particularly, I’d imagine keyboard strokes and mouse movement are not possible here, and I’m not using windows either.
Through that application, you can also browse for files to download, which will include image previews too. However, I believe that since the web browser is merely serving as a web ui and not actually running the code, the requests would be made by the terminal application and not the browser (and thus not show factors a browser would end up showing), although I hope I’m not wrong here, since I think I remember seeing Ublock Origin showing things like cloudflare for example, perhaps for allowing access to the web ui through another device if I configured that way?. If it were to show that website in it too, would that mean my efforts here would be useless?
