Opened 6 months ago

Closed 6 months ago

#30135 closed enhancement (wontfix)

Make all TBB users not stand out from each other

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Minor Keywords: TBB Useragent FireFox Mobile os tbb-fingerprint-os fingerprint
Cc: cypherpunks Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

  1. Useragent MUST be same for every platform, no OS differences.
  2. Useragent MUST NOT leak version of TB, use same for any version. Let non-updated version also use a newer Useragent string without upgrade. To not stand out from already updated users. For not making attractive for version targeted exploits. By simply not reporting it but mask it.
  3. Useragent SHOULD look more common to regular FireFox. Avoid block ability by fingerprint. Make access logs not stand out as TB user.

?. For 1. the Useragent MAY differ only reason is on Mobile platform for Ability of telling website mobile version is proffered delivered... or is there a better way to receive websites mobile version?
May implement Useragent overriding string. Whatever OS or version they actually use. May fetching by startup from http://rqef5a5mebgq46y5.onion/ to make sure all users use the same. Independed of any other case.
All requests coming out of Exit or going to HS should look as could be from same person. Not differentiation by OS of user. For example, Bad guard or watched guard nodes could look in TCP fingerprinting OS in entry connection and match it with Service/exit used in useragent. making to find a needle in a haystack to a more little haystack actually.

Current situation: For what reason hs needs to know os? Not!

Child Tickets

Change History (1)

comment:1 Changed 6 months ago by gk

Resolution: wontfix
Status: newclosed

We won't ship the same User Agent for any Tor Browser version possible. We'll adapt it from major to major Firefox versions. There are no plans either to allow user agent overriding. That's not implemented in Firefox (anymore) and does not serve any fingerprinting protection. If you have a bad guard that is able to control the exit you are using as well, you have essentially lost. There is no need to play tricks with TCP fingerprinting and User Agent matching.

Thus, I think this ticket is essentially a wontfix.

Note: See TracTickets for help on using tickets.