Tor Messenger user agent (and other identifying strings)

We are setting the user agent and other identifiable bits like XMPP resource to an empty string. But with CTCP, we are still revealing information about Tor Messenger (see #15161 (closed)).

We should decide how we want to identify Tor Messenger, whether by setting the user agent to an empty string, or setting it to some known product like Thunderbird or Instantbird.

added component::archived/tor messenger owner::sukhbir parent::14161 priority::medium resolution::fixed status::closed type::defect labels

Trac:
Cc: arlolra, gk to arlolra, gk, mikeperry, armadev

Trac:
Cc: arlolra, gk, mikeperry, armadev to arlolra, gk, mikeperry, arma

We took a page from Tor Browser here, which says

All Tor Browser users MUST provide websites with an identical user agent and HTTP header set for a given request type. We omit the Firefox minor revision, and report a popular Windows platform. If the software is kept up to date, these headers should remain identical across the population even when updated.

In #15161 (closed), sukhbir wrote,

For the user agent which is reflected in CTCP version (among other places) we are using Instantbird 1.5 which is the user agent of Instantbird stable.

Trac:
Resolution: N/A to fixed
Status: new to closed

Trac:
Cc: arlolra, gk, mikeperry, arma to arlolra, gk, mikeperry, arma, dgoulet
Resolution: fixed to N/A
Status: closed to reopened

The user agent seems quite powerfully revealing, is that on purpose to make it as Instantbird would be? It leaks my OS though, not that big of a deal probably. (Instantbird 1.5 (20150629030833), Gecko 38.1.0esrpre (20150629030833) on Linux x86_64)

Replying to arlolra:

The user agent seems quite powerfully revealing, is that on purpose to make it as Instantbird would be? It leaks my OS though, not that big of a deal probably. (Instantbird 1.5 (20150629030833), Gecko 38.1.0esrpre (20150629030833) on Linux x86_64)

This is from the debug window, where this header is set manually (see imAccounts.js:L334)

      let header =
        `${appInfo.name} ${appInfo.version} (${appInfo.appBuildID}), ` +
        `Gecko ${appInfo.platformVersion} (${appInfo.platformBuildID}) ` +
        `on ${HttpProtocolHandler.oscpu}`;

So this is a local header and not the user agent string; the user agent is Instantbird/__APP_VERSION__ or Instantbird 1.5 in our case.

Trac:
Resolution: N/A to fixed
Status: reopened to closed

Replying to sukhbir:

So this is a local header and not the user agent string; the user agent is Instantbird/__APP_VERSION__ or Instantbird 1.5 in our case.

I don't think so. You see the user agent on the About Tor Messenger page or if you evaluate |navigator.userAgent| in the error console. It currently leaks the OS and architecture used. On a 64 bit Linux system I get:

Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Instantbird/1.5

I have not checked whether this is only accessible to privileged code but I somehow doubt that. I guess you want to fix that, thus reopening.

Trac:
Resolution: fixed to N/A
Status: closed to reopened

Trac:
Parent: N/A to #14161 (closed)

Trac:
Owner: N/A to sukhbir
Status: reopened to assigned

Fixed in 64de1fc1e. We are now setting the user agent string to Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Instantbird/1.5 on all platforms, which is Instantbird stable on Windows. I have confirmed this with navigator.userAgent. (We are removing the user agent from the about screen to not confuse the users.)

Trac:
Status: assigned to closed
Resolution: N/A to fixed

<+sukhe> hello. yes, I think it's fine to close the tickets. thanks for doing what we should done earlier :)

sad but true: https://blog.torproject.org/sunsetting-tor-messenger

luckily there are alternatives: https://blog.torproject.org/tor-heart-onion-messaging

.. and maybe someday

• https://cwtch.im (#27364)
• https://github.com/warner/magic-wormhole/issues/8

closed

mentioned in issue #17513 (closed)