←back to thread

Curl-impersonate: Special build of curl that can impersonate the major browsers

(github.com)
545 points mmh0000 | 9 comments | 03 Apr 25 15:24 UTC | HN request time: 0.202s | source | bottom
Show context
ryao ◴[03 Apr 25 18:57 UTC] No.43573858[source]
Did they also set IP_TTL to set the TTL value to match the platform being impersonated?

If not, then fingerprinting could still be done to some extent at the IP layer. If the TTL value in the IP layer is below 64, it is obvious this is either not running on modern Windows or is running on a modern Windows machine that has had its default TTL changed, since by default the TTL of packets on modern Windows starts at 128 while most other platforms start it at 64. Since the other platforms do not have issues communicating over the internet, so IP packets from modern Windows will always be seen by the remote end with TTLs at or above 64 (likely just above).

That said, it would be difficult to fingerprint at the IP layer, although it is not impossible.

replies(3): >>43573901 #>>43574995 #>>43576160 #
1. fc417fc802 ◴[03 Apr 25 22:20 UTC] No.43576160[source]
What is the reasoning behind TTL counting down instead of up, anyway? Wouldn't we generally expect those routing the traffic to determine if and how to do so?
replies(3): >>43576272 #>>43578577 #>>43583188 #
2. sadjad ◴[03 Apr 25 22:33 UTC] No.43576272[source]
The primary purpose of TTL is to prevent packets from looping endlessly during routing. If a packet gets stuck in a loop, its TTL will eventually reach zero, and then it will be dropped.
replies(1): >>43576457 #
3. fc417fc802 ◴[03 Apr 25 22:55 UTC] No.43576457[source]
That doesn't answer my question. If it counted up then it would be up to each hop to set its own policy. Things wouldn't loop endlessly in that scenario either.
replies(3): >>43576561 #>>43576648 #>>43578588 #
4. burnished ◴[03 Apr 25 23:09 UTC] No.43576561{3}[source]
This is a wild guess but: I am under the impression that the early internet was built somewhat naively so I guess that the sender sets it because they know best how long it stays relevant for/when it makes sense to restart or fail rather than wait.
5. knome ◴[03 Apr 25 23:21 UTC] No.43576648{3}[source]
It does make traceroute, where each packet is fired with one more available step than the last, feasible, whereas 'up' wouldn't. Of course, then we'd just start with max-hops and walk the number down I suppose. I still expect it would be inconvenient during debugging for various devices to have various ceilings.
6. ryao ◴[04 Apr 25 05:14 UTC] No.43578577[source]
If your doctor says you have only 128 days to live, you count down, not up. TTL is time to live, which is the same thing.
replies(1): >>43589640 #
7. ryao ◴[04 Apr 25 05:16 UTC] No.43578588{3}[source]
Then random internet routers could break internet traffic by setting it really low and the user could not do a thing about it. They technically still can by discarding all traffic whose value is less than some value, but they don’t. The idea that they should set their own policy could fundamentally break network traffic flows if it ever became practiced.
8. therealcamino ◴[04 Apr 25 14:45 UTC] No.43583188[source]
To allow the sender to set the TTL, right? Without adding another field to the packet header.

If you count up from zero, then you'd also have to include in every packet how high it can go, so that a router has enough info to decide if the packet is still live. Otherwise every connection in the network would have to share the same fixed TTL, or obey the TTL set in whatever random routers it goes through. If you count down, you're always checking against zero.

9. kevindamm ◴[05 Apr 25 01:33 UTC] No.43589640[source]
Although, more accurately it's like "transmissions to live" since it doesn't have anything to do with time, regardless of its original naming.