[tbb-dev] The impossible fights on anti-fingerprinting
Arthur D. Edelstein
arthuredelstein at gmail.com
Thu Oct 19 08:35:33 UTC 2017
Hi Tom,
> 1) User Agent
[snip]
> Spoofing the minor version is still valuable; but we're considering
> reporting the correct major version. What do you think?
I would be a little nervous about that. It seems like
feature-detecting Firefox major versions that change every 6 weeks
requires some sophistication, and revealing the true major version
sounds like handing unsophisticated attackers a freebie. What about
sending the true major version string to addons.mozilla.org as a
special case instead?
> 2) OS
>
> We report the OS as Windows on Mac and Linux.
[snip]
> So I'm wondering, are there other OS-level fingerprinting vectors that
> seem unsolvable that don't have tickets for them?
A big one that springs to mind is the font set. We whitelist different
system font sets for Window, Mac, and Linux. That's because we wanted
to preserve the native look-and-feel for each platform.
> What do you think of
> reporting the correct OS (in FF at least), since it seems like we
> wouldn't be able to hide it anyway?
Yeah, I agree this is probably OK, because it's a small amount of
entropy and trivially easy to detect the platform anyway. It
definitely doesn't make sense to me to try to spoof a mobile browser
as desktop. Others may disagree though. :)
Arthur
More information about the tbb-dev
mailing list