[tor-bugs] #26146 [Applications/Tor Browser]: Setting `general.useragent.override` does not spoof the platform part anymore in ESR 60 which is confusing

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 12 17:11:53 UTC 2018 

#26146: Setting `general.useragent.override` does not spoof the platform part
anymore in ESR 60 which is confusing
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff60-esr, tbb-fingerprinting-os,     |  Actual Points:
  tbb-8.0-issues                                 |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by tom):

 Replying to [comment:37 fufufu]:
 > As a Tor Browser user highly concerned with this change, I have two
 questions based on the dialogue I'm seeing on the comments section of the
 Tor blog about this subject:
 >
 > 1. The biggest reason this change seems to be promoted by some
 (particularly gk) as "not a big deal anyway", even in the context of
 disabled Javascript where potential OS detection methods are minimized, is
 because your OS can apparently be detected anyway by what fonts you have
 (as Tor Browser ships with different fonts depending on the version it
 seems). My question is how the server communicates this information back
 to itself after detection without using Javascript. I can find no website,
 browser uniqueness analyzer, fingerprint analyzer, anonymity analyzer,
 Panopticlick-style test, etc. that can actually detect anything about my
 fonts with Javascript disabled in Tor Browser. I can only find a small
 reference in Whonix documentation to detecting fonts via "CSS
 introspection". Can gk or somebody else provide more information about how
 this works?

 Anything that triggers a conditional load based on the size of other
 objects could be used to communicate it back. But it's more work and not
 as fun to program so I'm not surprised it's not common in POCs.

 A CSS trick to do this would be something like
 https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
 but I bet you can d the same in canvas and in SVG.

 Besides Fonts, another JS-free ways to detect platform could be media
 support/streaming. But yea, without using JS it definetly gets tougher.
 (There are a lot more network-level tricks that Tor is immune to but
 affects Firefox.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26146#comment:40>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list