[tor-bugs] #27495 [Applications/Tor Browser]: Tor Browser 8.0 wrong user-agent
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 7 10:40:00 UTC 2018
#27495: Tor Browser 8.0 wrong user-agent
--------------------------------------+---------------------------
Reporter: temp123 | Owner: tbb-team
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution: duplicate
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+---------------------------
Comment (by H7gQsKnpvf3nB7NWYtdhtDyECtySfgyx):
A troll vandalized my comment with "We use Tor." so I'm going to replicate
my earlier comment with a different account:
Replying to [comment:2 arma]:
> (I hear from the tor browser devs that they are no longer trying to lie
about user agent, (a) because you can't actually convincing lie,
1) Not everyone does OS detection with JS, so the trackers who use the UA
only (i.e. without JS detection) are duped, 2) with JS disabled there's no
reliable way to tell exactly the OS (except some CSS bugs from now and
then),
> because there are so many other components that would have to change
too,
3) these elements can be changed too in the long term (search for a
keyword that sounds like tbb-fingerprinting-os or something). We can have
fantastic dreams, right?
> and (b) because when Android enters the scene, they won't want to get
served the non-mobile version of pages.
Mobile vs desktop distinction is justifiable, and it entails nothing for
the case we're dealing with here.
Replying to [comment:4 gk]:
> Not only is it more than confusing to get always a random .exe file
offered for download even though you are not on Windows but things like
Google apps were actually broken for macOS users (see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1405810)
This is kinda ironic considering that logging into your Google account to
use Google Docs with Tor is straight-up *impossible* unless one does the
SMS verification - or partial de-anonymization to put it in another
fashion (except for the folks who buy SMS boxes with Bitcoin). So we're
doing trading-off a situation that only a very limited number of Mac OS
(marketshare is low) *and* Tor users encounter for the global Tor populace
(the reports come from a standard Firefox for a reason)? This is even more
ironic considering the amount of voluntary breakage that Google makes on
its websites and services for the standard Firefox and Firefox Mobile, let
alone the Tor Browser (recent examples in mind: YouTube uses an old
standard not implemented in Firefox which leads to 5-10sec of delay on
Firefox vs Chrome, the Google search looked different for Firefox Mobile
vs Chrome Mobile and would change with a simple UA change to Chrome
Mobile's UA). In other words trading privacy for hostile Google's
usability shouldn't be even on our imagination.
(Another comment:) By the way this is a bad precedent from the great folks
over there at Mozilla, first party isolation breaks a lot of websites -
should we then whitelist it for those? Why should we treat first party
isolation and fingerprinting resistance differently?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27495#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list