With javascript enabled, websites can know If you use linux or windows. In my opinion, this is more information than a website should have.
As a linux user, I visited panopticlick.eff.org and did the browser fingerprint test. The results revealed my platform to be "Linux x86_64".
Is there a way that Tor devs can make Tor browser spoof this value to be the same for all users or random, regardless of OS?
-Joel
On Sat, Sep 26, 2020 at 11:31:46AM -0700, joel04g_t535e@secmail.pro wrote:
With javascript enabled, websites can know If you use linux or windows. In my opinion, this is more information than a website should have.
As a linux user, I visited panopticlick.eff.org and did the browser fingerprint test. The results revealed my platform to be "Linux x86_64".
Is there a way that Tor devs can make Tor browser spoof this value to be the same for all users or random, regardless of OS?
No, not easily. There is the semi-easy OS leak in the web API where Tor Browser provides the correct OS in |navigator.useragent| (see [0] for that reasoning, and [1] for a tracking bug). However there exist additional leaks [2][3][4] where the OS could be identified even if we plugged the easy one. There are likely more, as well. This should not be interpretted as an unwillingness to plug all the holes, but the rabbit hole goes very deep and our time is very limited.
[0] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26146 [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28290 [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18097 [3] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29563 [4] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13018
On 29.09.2020 17:23, Matthew Finkel wrote:
On Sat, Sep 26, 2020 at 11:31:46AM -0700, joel04g_t535e@secmail.pro wrote:
With javascript enabled, websites can know If you use linux or windows. In my opinion, this is more information than a website should have.
As a linux user, I visited panopticlick.eff.org and did the browser fingerprint test. The results revealed my platform to be "Linux x86_64".
Is there a way that Tor devs can make Tor browser spoof this value to be the same for all users or random, regardless of OS?
No, not easily. There is the semi-easy OS leak in the web API where Tor Browser provides the correct OS in |navigator.useragent|.
So addons that change the user agent should be enough, right? Or if not that, why would setting the about:config value devtools.responsive.userAgent not be sufficient?
On Wed, Sep 30, 2020 at 04:01:54PM +0200, Anton Luka Šijanec wrote:
On 29.09.2020 17:23, Matthew Finkel wrote:
On Sat, Sep 26, 2020 at 11:31:46AM -0700, joel04g_t535e@secmail.pro wrote:
With javascript enabled, websites can know If you use linux or windows. In my opinion, this is more information than a website should have.
As a linux user, I visited panopticlick.eff.org and did the browser fingerprint test. The results revealed my platform to be "Linux x86_64".
Is there a way that Tor devs can make Tor browser spoof this value to be the same for all users or random, regardless of OS?
No, not easily. There is the semi-easy OS leak in the web API where Tor Browser provides the correct OS in |navigator.useragent|.
So addons that change the user agent should be enough, right? Or if not that, why would setting the about:config value devtools.responsive.userAgent not be sufficient?
Yes, using an addon should be sufficient if you want to plug this specific leak, but this breaks some web sites. If you are okay with that breakage, then go for it. As for the |devtools.responsive.userAgent| pref, I assume you'll need to load every page with devtools opened (but I haven't confirmed that).
-
Anton Luka Šijanec -
joel04g_t535e@secmail.pro -
Matthew Finkel