[tor-dev] changes in user-agent spoofing in the Tor Browser 14.0 series

Morgan morgan at torproject.org
Mon Sep 9 19:08:45 UTC 2024


tldr;

We're planning on disabling HTTP-header user agent spoofing on the basis 
that it (in our analysis) does little if any good while causing breakage 
on the internet when the JS and HTTP user agents do not match. However, 
if there is something critical we're missing here, we'd certainly love 
to hear. In the meantime it seems like an easy win for some improved 
usability.

best,
-morgan

Excerpt from 14.0a4's blog post follows:

> User Agent Spoofing Changes
> 
> Historically, Tor Browser has spoofed the browser user agent found in HTTP headers, while not spoofing the user agent returned by the Navigator.userAgent property in JavaScript. The logic behind the HTTP header spoofing was to prevent passive tracking of users' operating system by websites (when using the 'Safest' security level) and by malicious exit nodes (or their upstream routers) passively listening in on unencrypted HTTP traffic. We left the JavaScript query intact for the purposes of website compatibility and usability. We also left it enabled because there are already many ways of detecting a user's real operating system when JavaScript is enabled (e.g. via font enumeration).
> 
> With Tor Browser 14.0a4, we have introduced the boolean preference privacy.resistFingerprinting.spoofOsInUserAgentHeader. When this pref is set to true (which is currently the default), Tor Browser will follow the previously described legacy behaviour. However, if you set this preference (accessible in about:config) to false, Tor Browser will never spoof the user agent and will report your operating system family (i.e. Windows, macOS, Linux, or Android) when requested. We are considering changing Tor Browser to make this the new default behaviour.
> 
> So, why are we considering making this change? Basically, asymmetrically spoofing the user agent causes website breakage seemingly due to bot-detection scripts. And (in our analysis) it also provides only a negligible amount of benefit to the user in terms of additional linkability (i.e. cross-site tracking, fingerprinting) protections, and only then when JavaScript is disabled. Tor Browser's default HTTPS-Only mode (and much of the web having moved to HTTPS) has also significantly reduced the utility of passively sniffing HTTP traffic for user agents as well.
> 
> We would be very curious to hear from users and domain experts as to whether user agent spoofing is providing any other privacy benefits. In the meantime, disabling spoofing is available to users on an opt-in basis. For more information and to join the conversation, please see the Gitlab ticket tor-browser#42467.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4B60306A5EA28FAE.asc
Type: application/pgp-keys
Size: 8599 bytes
Desc: OpenPGP public key
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20240909/32d16c81/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20240909/32d16c81/attachment.sig>


More information about the tor-dev mailing list