From some tests show that only JavaScript shows which OS you are using, can someone change its version to Windows or Linux? Is that enough for tor browser not to leak the OS type to the website?
Tor Browser does not hide the OS in javascript (i.e windows / linux / android / mac) as this is impossible. It only controls some parts of the userAgent (e.g. naviagtor or HTTP Headers) per OS to make them all the same per OS - e.g. Android is always version 10 etc
3 Likes
I disagree. Stick to the vanilla standard. Anyone remember web sites which stated “This site is better viewed with Internet Explorer”? Three of those companies mentioned are propriety and of course want to make their stuff the norm in order to advantage them.
This is factually incorrect. The Tor browser may not choose to do this, but it is not impossible. Each browser implements its own javascript interpreter and is quite capable of returning anything it wants for the user agent OS string.
The userAgent string is not the only metric that indicates OS. Once again, it is impossible to hide the OS (and for no gain, it just creates compat issues)
for example: in your infinite wisdom, tell me how you would hide/normalize screen and window resolutions on android vs desktop where android is 1) likely to be portrait 2) has no letterboxing and 3) is much smaller. Can your code overcome physical device constraints? (don’t answer, it’s rhetorical)
There’s dozens more examples.
1 Like
In my post I didn’t say it was. I said it was factually incorrect to assert that you can’t hide the OS in the user agent string in Javascript.
But I will point out that is also factually incorrect. Because there are other potential mechanisms where the underlying OS can be inferred, it doesn’t mean we have to hand it to the adversary on a platter. Making everything low hanging fruit because there are other possible/maybe/potential higher hanging fruit that might also work makes no sense on its face.
There are vanishingly few compatibility shims web-server side where it needs to know your OS for something to work. If you think there are significant ones, then please show your work.
I have a four portrait monitor setup for my workstation.
The devs, who don’t implement OS obfuscation in javascript user agent strings, also chose not to implement letterboxing on Android, so that means don’t give the user the capability to change the user agent’s OS? Does this seem particularly circular to you?
irrelevant
See low-langing-fruit above for why they are irrelevant.
Eventually as we remove the low hanging fruit, we start with the medium-hanging fruit. And then the high hanging fruit. Until there is no more fruitiness in the browser fingerprint at all. Until it’s plain oatmeal.
By creating separate sessions for user and remote and sandboxing the JavaScript engine 
And I never said you couldn’t alter this string. I said you couldn’t hide the OS (from javascript), which you said was false. Please learn to read. Once again, this time with feeling … you can’t hide your OS (you can even detect it using passive fingerprinting techniques such as css)
Even if you could hide the OS (with massive issues) there really isn’t any gain.
All you do is waste time and resources 1) massive amounts of engineering and maintenance and upkeep and testing 2) size costs such as bundling extra fonts including large ones like CJK and APK sizes 4) lots of compat issues 5) licensing issues to close some metrics 6) and more - and it would take a long time to get any where near this, and then someone will point out how easy it is to bypass this and then you look like an idiot
I should know, this is the field I work in - you are literally talking nonsense
3 Likes