@vmedea @kieran My assertion that the hostname came from the HTTP referer is based on some investigation I did for a friend. I could see, in one of the websites that he had logged into, the name of his iPhone. He certainly hadn’t submitted it manually, so I just assumed it had come from the referer via User-Agent. Maybe I’m wrong and leaked through an app or something, life if Apple just hands the device name to any old app by default.
It sounds like host1, host2, etc. is probably the best policy, unless you can get sufficient protection by disabling transmission altogether via “ipv4.dhcp-send-hostname” and “ipv6.dhcp-send-hostname” (if they even work, which might be hard to determine).
The problem with tracking down leaks via signature strings is that some of them might occur under HTTPS. Unfortunately, I’ve never bothered to log sightings of escaped hostnames, so I have no information as to where they come from, which means I have no better suggestion than signature strings.
At least, there is a fix to the rare OS name problem. PureOS should implement it by calling itself something popular like “Ubuntu”, but probably won’t, which means we need to rely on a browser plugin. This is a problem because privacy-related plugins are famous for compromising privacy (so eff.org would be a good place to look for safer ones) and using the plugin might be as rare as using the OS in the first place, or rare enough to be an anonymity problem if it induces other telltale behavioral changes. I should emphasize that I’m just trying to raise the bar for identification, not make it impossible, which even Tor doesn’t do.
@Dwaff I know but I don’t see that we have any better rough approximation of popularity rankings.