Opened 20 months ago

Last modified 20 months ago

#18854 assigned defect

Orfox's UserAgent different than other TBB

Reported by: ikurua22 Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Orbot Version:
Severity: Normal Keywords: Orfox
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://tor.stackexchange.com/questions/4890/tor-browser-user-agent-strings

Currently, TBB use Windows UA as a default.

(tested with latest TBB, if I'm a mistake correct me with latest data.)
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0

However, Orfox use Android itself.
Mozilla/5.0 (Android; Mobile; rv:38.0) Gecko/38.0 Firefox/38.0

Even Orfox is for Android smartphone,
I think Orfox should use default TBB's UA for anti-fingerprint.

Child Tickets

Change History (6)

comment:1 Changed 20 months ago by ikurua22

Or,

[X] Request Desktop Site <---set it to default, then use Windows UA.

if the user uncheck it, show a big warning, something like

"You are willing to let website to know you are using Android, rather than stay Anonymous with other TBB users.
Are you really want to do this?

Yes | No"

comment:2 Changed 20 months ago by ikurua22

Severity: NormalCritical

FYI, in current Orfox, if I check that box:


Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0

& new:
HTTP_PRAGMA | no-cache

Hmmmmmm... not so anonymous, don't you think?

comment:3 Changed 20 months ago by n8fr8

Severity: CriticalNormal
Status: newassigned

We made the conscious decision to use a mobile user agent for Orfox so that you would receive mobile formatted sites when browsing. This means your user-agent is within the set of Firefox for Android users on the same version, etc, and definitely within the pool of 1 million or so current Orfox users.

Even if we used the same TBB user agent, the size of your screen/browser window would fairly clearly indicate you were on an Android device, or at least a mobile device.

There is only so much we can do at this time.

comment:4 Changed 20 months ago by ikurua22

the size of your screen/browser window would fairly clearly indicate you were on an Android device

If the user enable(default) Javascript, right?
I turned off JS completely, so how the attacker know I'm using mobile?

Ok, so

[X] Request Desktop Site

Please consider replace this UA(linux #2) to Windows TBB UA.

comment:5 in reply to:  4 Changed 20 months ago by cypherpunks

Replying to ikurua22:

the size of your screen/browser window would fairly clearly indicate you were on an Android device

If the user enable(default) Javascript, right?
I turned off JS completely, so how the attacker know I'm using mobile?

CSS, for one thing.

Using the same UA string as Tor Browser would not prevent distinguishing Orfox, IMO. There are so many more fingerprinting vectors.

comment:6 Changed 20 months ago by arma

Priority: Very HighMedium
Summary: Orfox is NOT ANONYMOUS - UserAgent different than other TBBOrfox's UserAgent different than other TBB
Note: See TracTickets for help on using tickets.