[tbb-dev] Tor browser fingerprint with javascript enabled problem

Matthew Finkel sysrqb at torproject.org
Tue Sep 29 15:23:32 UTC 2020

On Sat, Sep 26, 2020 at 11:31:46AM -0700, joel04g_t535e at secmail.pro wrote:
> With javascript enabled, websites can know If you use linux or windows. In
> my opinion, this is more information than a website should have.
> As a linux user, I visited panopticlick.eff.org and did the browser
> fingerprint test. The results revealed my platform to be "Linux x86_64".
> Is there a way that Tor devs can make Tor browser spoof this value to be
> the same for all users or random, regardless of OS?

No, not easily. There is the semi-easy OS leak in the web API where Tor
Browser provides the correct OS in |navigator.useragent| (see [0] for
that reasoning, and [1] for a tracking bug). However there exist
additional leaks [2][3][4] where the OS could be identified even if we
plugged the easy one. There are likely more, as well. This should not be
interpretted as an unwillingness to plug all the holes, but the rabbit
hole goes very deep and our time is very limited.

[0] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26146
[1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/28290
[2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18097
[3] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29563
[4] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13018

More information about the tbb-dev mailing list