[tbb-dev] The impossible fights on anti-fingerprinting

Arthur D. Edelstein arthuredelstein at gmail.com
Thu Oct 19 08:35:33 UTC 2017

Hi Tom,

> 1) User Agent
> Spoofing the minor version is still valuable; but we're considering
> reporting the correct major version. What do you think?

I would be a little nervous about that. It seems like
feature-detecting Firefox major versions that change every 6 weeks
requires some sophistication, and revealing the true major version
sounds like handing unsophisticated attackers a freebie. What about
sending the true major version string to addons.mozilla.org as a
special case instead?

> 2) OS
> We report the OS as Windows on Mac and Linux.
> So I'm wondering, are there other OS-level fingerprinting vectors that
> seem unsolvable that don't have tickets for them?

A big one that springs to mind is the font set. We whitelist different
system font sets for Window, Mac, and Linux. That's because we wanted
to preserve the native look-and-feel for each platform.

> What do you think of
> reporting the correct OS (in FF at least), since it seems like we
> wouldn't be able to hide it anyway?

Yeah, I agree this is probably OK, because it's a small amount of
entropy and trivially easy to detect the platform anyway. It
definitely doesn't make sense to me to try to spoof a mobile browser
as desktop. Others may disagree though. :)


More information about the tbb-dev mailing list