Opened 2 years ago

Closed 7 months ago

#18854 closed defect (wontfix)

Orfox's UserAgent different than other TBB

Reported by: ikurua22 Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://tor.stackexchange.com/questions/4890/tor-browser-user-agent-strings

Currently, TBB use Windows UA as a default.

(tested with latest TBB, if I'm a mistake correct me with latest data.)
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0

However, Orfox use Android itself.
Mozilla/5.0 (Android; Mobile; rv:38.0) Gecko/38.0 Firefox/38.0

Even Orfox is for Android smartphone,
I think Orfox should use default TBB's UA for anti-fingerprint.

Child Tickets

Change History (8)

comment:1 Changed 2 years ago by ikurua22

Or,

[X] Request Desktop Site <---set it to default, then use Windows UA.

if the user uncheck it, show a big warning, something like

"You are willing to let website to know you are using Android, rather than stay Anonymous with other TBB users.
Are you really want to do this?

Yes | No"

comment:2 Changed 2 years ago by ikurua22

Severity: NormalCritical

FYI, in current Orfox, if I check that box:


Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0

& new:
HTTP_PRAGMA | no-cache

Hmmmmmm... not so anonymous, don't you think?

comment:3 Changed 2 years ago by n8fr8

Severity: CriticalNormal
Status: newassigned

We made the conscious decision to use a mobile user agent for Orfox so that you would receive mobile formatted sites when browsing. This means your user-agent is within the set of Firefox for Android users on the same version, etc, and definitely within the pool of 1 million or so current Orfox users.

Even if we used the same TBB user agent, the size of your screen/browser window would fairly clearly indicate you were on an Android device, or at least a mobile device.

There is only so much we can do at this time.

comment:4 Changed 2 years ago by ikurua22

the size of your screen/browser window would fairly clearly indicate you were on an Android device

If the user enable(default) Javascript, right?
I turned off JS completely, so how the attacker know I'm using mobile?

Ok, so

[X] Request Desktop Site

Please consider replace this UA(linux #2) to Windows TBB UA.

comment:5 in reply to:  4 Changed 2 years ago by cypherpunks

Replying to ikurua22:

the size of your screen/browser window would fairly clearly indicate you were on an Android device

If the user enable(default) Javascript, right?
I turned off JS completely, so how the attacker know I'm using mobile?

CSS, for one thing.

Using the same UA string as Tor Browser would not prevent distinguishing Orfox, IMO. There are so many more fingerprinting vectors.

comment:6 Changed 2 years ago by arma

Priority: Very HighMedium
Summary: Orfox is NOT ANONYMOUS - UserAgent different than other TBBOrfox's UserAgent different than other TBB

comment:7 Changed 7 months ago by sysrqb

Component: Applications/OrbotApplications/Tor Browser
Keywords: tbb-mobile added; Orfox removed
Status: assignednew

Adjusting this because it is for Orfox, not Orbot.

I think aligning the "Desktop Site" UAS with TBD (Tor Browser for Desktop) seems reasonable, we should consider doing this.

comment:8 Changed 7 months ago by cypherpunks

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.