Opened 5 years ago

Closed 4 years ago

Last modified 12 months ago

#15162 closed defect (fixed)

Tor Messenger user agent (and other identifying strings)

Reported by: sukhbir Owned by: sukhbir
Priority: Medium Milestone:
Component: Archived/Tor Messenger Version:
Severity: Keywords:
Cc: arlolra, gk, mikeperry, arma, dgoulet Actual Points:
Parent ID: #14161 Points:
Reviewer: Sponsor:

Description

We are setting the user agent and other identifiable bits like XMPP resource to an empty string. But with CTCP, we are still revealing information about Tor Messenger (see #15161).

We should decide how we want to identify Tor Messenger, whether by setting the user agent to an empty string, or setting it to some known product like Thunderbird or Instantbird.

Child Tickets

Change History (13)

comment:1 Changed 5 years ago by sukhbir

Cc: mikeperry armadev added

comment:2 Changed 5 years ago by gk

Cc: arma added; armadev removed

comment:3 Changed 4 years ago by arlolra

We took a page from Tor Browser here, which says

All Tor Browser users MUST provide websites with an identical user agent and HTTP header set for a given request type. We omit the Firefox minor revision, and report a popular Windows platform. If the software is kept up to date, these headers should remain identical across the population even when updated.

In #15161, sukhbir wrote,

For the user agent which is reflected in CTCP version (among other places) we are using Instantbird 1.5 which is the user agent of Instantbird stable.

comment:4 Changed 4 years ago by arlolra

Resolution: fixed
Status: newclosed

comment:5 Changed 4 years ago by arlolra

Cc: dgoulet added
Resolution: fixed
Status: closedreopened

comment:6 Changed 4 years ago by arlolra

The user agent seems quite powerfully revealing, is that on purpose to make it as Instantbird would be? It leaks my OS though, not that big of a deal probably.

(Instantbird 1.5 (20150629030833), Gecko 38.1.0esrpre (20150629030833) on Linux x86_64)

comment:7 in reply to:  6 ; Changed 4 years ago by sukhbir

Resolution: fixed
Status: reopenedclosed

Replying to arlolra:

The user agent seems quite powerfully revealing, is that on purpose to make it as Instantbird would be? It leaks my OS though, not that big of a deal probably.

(Instantbird 1.5 (20150629030833), Gecko 38.1.0esrpre (20150629030833) on Linux x86_64)

This is from the debug window, where this header is set manually (see imAccounts.js:L334)

      let header =
        `${appInfo.name} ${appInfo.version} (${appInfo.appBuildID}), ` +
        `Gecko ${appInfo.platformVersion} (${appInfo.platformBuildID}) ` +
        `on ${HttpProtocolHandler.oscpu}`;

So this is a local header and not the user agent string; the user agent is Instantbird/__APP_VERSION__ or Instantbird 1.5 in our case.

comment:8 in reply to:  7 Changed 4 years ago by gk

Resolution: fixed
Status: closedreopened

Replying to sukhbir:

So this is a local header and not the user agent string; the user agent is Instantbird/__APP_VERSION__ or Instantbird 1.5 in our case.

I don't think so. You see the user agent on the About Tor Messenger page or if you evaluate |navigator.userAgent| in the error console. It currently leaks the OS and architecture used. On a 64 bit Linux system I get:

Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Instantbird/1.5

I have not checked whether this is only accessible to privileged code but I somehow doubt that. I guess you want to fix that, thus reopening.

comment:9 Changed 4 years ago by arlolra

Parent ID: #14161

comment:10 Changed 4 years ago by arlolra

Owner: set to sukhbir
Status: reopenedassigned

comment:11 Changed 4 years ago by sukhbir

Fixed in 64de1fc1e. We are now setting the user agent string to Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Instantbird/1.5 on all platforms, which is Instantbird stable on Windows. I have confirmed this with navigator.userAgent. (We are removing the user agent from the about screen to not confuse the users.)

comment:12 Changed 4 years ago by sukhbir

Resolution: fixed
Status: assignedclosed

comment:13 Changed 12 months ago by traumschule

<+sukhe> hello. yes, I think it's fine to close the tickets. thanks for doing what we should done earlier :)

sad but true:
https://blog.torproject.org/sunsetting-tor-messenger

luckily there are alternatives:
https://blog.torproject.org/tor-heart-onion-messaging

.. and maybe someday

Note: See TracTickets for help on using tickets.