[tbb-dev] Orfox User Agent

[Georg Koppen]

[moving this part to tbb-dev, and CCing Nathan as I am not sure if he is
subscribed to this list]

"Orfox does not currently include the mobile versions of HTTPS
Everywhere, No Script and the Tor Browser Button, but these we will be
added shortly, now that we have discovered how to properly support
automatic installation of extensions on Android
(https://dev.guardianproject.info/issues/5360)
Orfox includes a “Request Mobile Site” option that allows you to change
the user-agent from the standard Tor Browser agent to a modified Android
specific one: “Mozilla/5.0 (Android; Mobile; rv:31.0) Gecko/20100101
Firefox/31.0″. (https://dev.guardianproject.info/issues/5404). This is
useful for being able to see the mobile version of a website, but does
reduce the amount your browser blends in with other browsers."

We had this User Agent discussion briefly during our last meeting on
Monday and I thought it might be quite appropriate to discuss this
design decision in more detail.

I think using the Tor Browser User Agent by default costs Orfox more
than it helps at the moment and think it should get switched to the
mobile one instead.

The major cost here is usability and the gain is questionable at the
moment as

1) it is possible to detect Orfox as it does not ship the same
extensions as Tor Browser
2) it is probably possible to detect Orfox as it is running on Android
and there are platform based differences we don't tackle yet (for some
we have on our radar see:

https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting-os

3) there are APIs only on Android available (see: e.g.
https://bugs.torproject.org/10286 to name just one) which aids in making
a distinction between desktop and mobile browser

4) even if APIs are available both on Desktop and Android they might
provide results showing clearly that a user is running Orfox (think for
instance about the faking of screen dimensions and the result on some
displays with a lower resolution)

While it might help against getting identified in some server logs I
think a better strategy might be to push the usability of Orfox as hard
as possible in order to get users not annoyed by weird wbesite
rendering. This has two advantages:

1) You get more users that could help you shaking out bugs

due to 1) you get

2) A larger set of people being in the Orfox group somewhat mitigating
the different user agent

It might be reasonable to somehow move to a Tor Browser user agent later
on or have this as an explicit design goal but first the above points
should be fixed or we should have at least a clear understanding on how
hard it actually is singling the Orfox group out.

Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20150703/ff862256/attachment.sig>