Despite updating general.useragent.override to match ESR 60 (done according to comment:16:ticket:25543) the platform part is not spoofed to Windows on my Linux box.
So, we probably should not set general.useragent.override at all anymore and just rely on the settings we get with privacy.resistFingerprinting? Because if we explicitly set it to the Windows UA but then don't get that, this is weird.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Child items ...
Show closed items
Linked items 0
Link issues together to show that they're related.
Learn more.
This is also bad for anonymity. With Tor Browser 8.0a9 the results on panopticlick.eff.org look as expected, except for "Platform" and "User Agent" which reveal the OS (Linux in my case).
This is also bad for anonymity. With Tor Browser 8.0a9 the results on panopticlick.eff.org look as expected, except for "Platform" and "User Agent" which reveal the OS (Linux in my case).
The platform/OS on which Tor Browser is running can be detected multiple ways, spoofing the user agent is simply a low-hanging fruit for obscuring it. The usefulness of this is debatable, but we should minimize the differences between platforms when it is possible.
The platform/OS on which Tor Browser is running can be detected multiple ways, spoofing the user agent is simply a low-hanging fruit for obscuring it. The usefulness of this is debatable, but we should minimize the differences between platforms when it is possible.
I understand. Ideally the user agent should be the same for all platforms, but I see that the platform can be identified at least via the fonts at the moment.
The platform/OS on which Tor Browser is running can be detected multiple ways, spoofing the user agent is simply a low-hanging fruit for obscuring it. The usefulness of this is debatable, but we should minimize the differences between platforms when it is possible.
I understand. Ideally the user agent should be the same for all platforms, but I see that the platform can be identified at least via the fonts at the moment.
Not everyone does OS detection through installed fonts though everyone collects user-agents. Also with JS disabled OS detection is MUCH harder. Giving away free entropy like that is intolerable.
Expecting
Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
If Firefox with RFP or Tor Browser used this format it would not match Firefox's (non-RFP) format and would be easily identifiable.
Don't mix FF w/RFP with TBB! RTFM of TBB ;)
Actually, Mozilla/5.0 (Unknown; rv:60.0) Gecko/20100101 Firefox/60.0 is everything TBB should expose until we can delete it altogether.
By the way let's smash this type of thinking once and for all, "X can be found using Y anyway in Z circumstances, so let's expose X directly". Ok, Tor Browser can be identified using exit IP, fingerprint and other stuff, so let's expose that information directly, how about Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 TorBrowser/8.0 as UA?
This is unacceptable.
I can't stress this enough, as I said on the blog comments the original Mozilla bugzilla report makes no sense since with a proxy (such as Tor) network OS fingerprinting is moot so why fall for it? And it's such a let down to see great privacy people on the Mozilla side (that I won't mention out of respect) fall for such a cheap trap. (PS: As mentioned earlier, the argument ("X can be found using Y anyway in Z circumstances, so let's expose X directly") itself is false)
Anyone willing to make a followup bugzilla report to get this fixed on the Mozilla side as well?
(I am not the previous cyberpunks. I am just using the public account to comment.)
Does the 'perfect is the enemy of good' argument apply here?
Surely, there are many fingerprinting tactics available if you look hard enough, since most web technology are not designed with privacy in mind. (I would even argue that it is exactly the opposite.) However, this doesn't mean we should give away identifying information ourselves! I consider this being a regression.
By the way, #27520 (moved) is a possible duplicate of this.