Hi Tom,
- User Agent
[snip]
Spoofing the minor version is still valuable; but we're considering reporting the correct major version. What do you think?
I would be a little nervous about that. It seems like feature-detecting Firefox major versions that change every 6 weeks requires some sophistication, and revealing the true major version sounds like handing unsophisticated attackers a freebie. What about sending the true major version string to addons.mozilla.org as a special case instead?
- OS
We report the OS as Windows on Mac and Linux.
[snip]
So I'm wondering, are there other OS-level fingerprinting vectors that seem unsolvable that don't have tickets for them?
A big one that springs to mind is the font set. We whitelist different system font sets for Window, Mac, and Linux. That's because we wanted to preserve the native look-and-feel for each platform.
What do you think of reporting the correct OS (in FF at least), since it seems like we wouldn't be able to hide it anyway?
Yeah, I agree this is probably OK, because it's a small amount of entropy and trivially easy to detect the platform anyway. It definitely doesn't make sense to me to try to spoof a mobile browser as desktop. Others may disagree though. :)
Arthur