[tor-bugs] #32256 [Applications/Tor Browser]: TorBrowser should advertise Onion Networking capability in the User-Agent: string
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 24 19:44:57 UTC 2019
#32256: TorBrowser should advertise Onion Networking capability in the User-Agent:
string
--------------------------------------+--------------------------
Reporter: alecmuffett | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by arma):
Thanks Alec.
I had started a ticket along these lines too, so here is a motivational
sentence that we might find useful here:
"""
A growing number of websites offer onion service versions of their site,
and a growing number of those are either offering alt-srv headers to Tor
users (Facebook and Cloudflare) or auto redirecting Tor users (Privacy
International) or detecting Tor users and changing their page content
(archive.is)
"""
All three of these categories of sites overlap in that they are trying to
figure out whether people are using Tor, to serve them content
differently. And false positives in their detection mechanisms are harmful
to our / their users.
(Originally I argued against auto redirection to onion services, on the
theory that users should have the choice about what properties they get
from their transport protocols. But, when sites auto redirect http to
https, because they know better than their users what is good for them,
I'm not sad. So why should I be uncomfortable when sites choose to upgrade
their users from https to https+.onion? But, we don't actually need to
answer this question here, because whether Tor Browser users should signal
their capabilities is orthogonal to what we recommend sites should do with
this information, UX wise.)
I think the right way forward here is to write a Tor Browser proposal,
with the pros and cons laid out, so we can make an informed decision:
https://gitweb.torproject.org/tor-browser-spec.git/tree/proposals
One other angle to consider here is that we should prepare for a world
where other browsers want to advertise onion capabilities too: there's
Brave in the near term, and maybe Firefox and others coming too. So, (a)
it would be cool to figure out how to blend with these other browsers, so
we get safety in numbers in terms of normalizing Tor usage, rather than
partitioning each browser population, and (b) we might want to think about
a "versioning" scheme so that browsers are advertising their onion
handling capabilities, not just a broad "I can do all the onions forever",
so when we discover a bug in one of the browsers we can recover. I don't
have any good intuition about how to do this versioning, but wanted to
raise the idea early in case somebody else does.
Oh, and a last note: I don't think Tor Browser even says it's trying to
blend with other browsers at this point. The goal of Tor Browser is to
make all the Tor Browser users have the same fingerprint (as each other).
So changing it for all of them would be fine on that front.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32256#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list