[tor-bugs] #32256 [Applications/Tor Browser]: TorBrowser should advertise Onion Networking capability in the User-Agent: string

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 24 19:44:57 UTC 2019


#32256: TorBrowser should advertise Onion Networking capability in the User-Agent:
string
--------------------------------------+--------------------------
 Reporter:  alecmuffett               |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by arma):

 Thanks Alec.

 I had started a ticket along these lines too, so here is a motivational
 sentence that we might find useful here:

 """
 A growing number of websites offer onion service versions of their site,
 and a growing number of those are either offering alt-srv headers to Tor
 users (Facebook and Cloudflare) or auto redirecting Tor users (Privacy
 International) or detecting Tor users and changing their page content
 (archive.is)
 """

 All three of these categories of sites overlap in that they are trying to
 figure out whether people are using Tor, to serve them content
 differently. And false positives in their detection mechanisms are harmful
 to our / their users.

 (Originally I argued against auto redirection to onion services, on the
 theory that users should have the choice about what properties they get
 from their transport protocols. But, when sites auto redirect http to
 https, because they know better than their users what is good for them,
 I'm not sad. So why should I be uncomfortable when sites choose to upgrade
 their users from https to https+.onion? But, we don't actually need to
 answer this question here, because whether Tor Browser users should signal
 their capabilities is orthogonal to what we recommend sites should do with
 this information, UX wise.)

 I think the right way forward here is to write a Tor Browser proposal,
 with the pros and cons laid out, so we can make an informed decision:
 https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals

 One other angle to consider here is that we should prepare for a world
 where other browsers want to advertise onion capabilities too: there's
 Brave in the near term, and maybe Firefox and others coming too. So, (a)
 it would be cool to figure out how to blend with these other browsers, so
 we get safety in numbers in terms of normalizing Tor usage, rather than
 partitioning each browser population, and (b) we might want to think about
 a "versioning" scheme so that browsers are advertising their onion
 handling capabilities, not just a broad "I can do all the onions forever",
 so when we discover a bug in one of the browsers we can recover. I don't
 have any good intuition about how to do this versioning, but wanted to
 raise the idea early in case somebody else does.

 Oh, and a last note: I don't think Tor Browser even says it's trying to
 blend with other browsers at this point. The goal of Tor Browser is to
 make all the Tor Browser users have the same fingerprint (as each other).
 So changing it for all of them would be fine on that front.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32256#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list