Hello, not sure if this post is in the correct section, but like the title says, I was wondering if it’s okay to force Wayland with MOZ_ENABLE_WAYLAND=1, especially because Wayland on paper is more secure (I think). And checking on deviceinfo(dot)me, Tor Browser already butchers the user agent fingerprint so, it wouldn’t even stand out, would it? Normally with things like Tor Browser and TAILS you’re not really meant to tinker with stuff as the main priority is making the default settings as watertight as possible.
edit: typo on the wayland env var
Tor Browser already butchers the user agent fingerprint
Well, actually, it doesn’t. We’re not trying to hide that we’re Tor Browser. All Linux users are the same regards user agent. TB doesn’t hide the OS (you can’t in JS and we say so in navigator) - what we did, was return windows in the HTTP header for server logs - also think of less value in the data when running in Safest mode (no JS). But even then, without JS you can still (with extra perf costly work) get the OS
However, in TB14+ we no longer do this.
1 Like
Indeed Mozilla switched to Wayland by default, but we reverted to X11 by default.
The answer is: we don’t know yet.
Potentially Wayland vs. X11 might be fingerprintable, but we don’t know what to test to be sure about whether this is the case.
1 Like
Sites that return values are great, if they are correct (some sites have faulty tests including coveryourtracks). Interpreting them requires an in depth knowledge of fingerprinting and likely some knowledge of TB’s protection methods/patches. Just because you think the user agent is “butchered” doesn’t mean that’s the end game - whilst some metrics are “entangled” (e.g. fonts + canvas + colors etc can expose link colors, link underlining, fonts, font aliasing and graphics rendering etc) or share equivalency, each is a metric in it’s own right and affects your fingerprint.
IDK if wayland does, yet!
PS: Sites that return an entropy figure or declare you are unique or not - don’t trust those words. By all means trust the metrics, e.g. screen size, language, etc - just don’t trust any of the nonsense about entropy or uniqueness
2 Likes