Hello, not sure if this post is in the correct section, but like the title says, I was wondering if it’s okay to force Wayland with MOZ_ENABLE_WAYLAND=1, especially because Wayland on paper is more secure (I think). And checking on deviceinfo(dot)me, Tor Browser already butchers the user agent fingerprint so, it wouldn’t even stand out, would it? Normally with things like Tor Browser and TAILS you’re not really meant to tinker with stuff as the main priority is making the default settings as watertight as possible.
edit: typo on the wayland env var
1 Like
Tor Browser already butchers the user agent fingerprint
Well, actually, it doesn’t. We’re not trying to hide that we’re Tor Browser. All Linux users are the same regards user agent. TB doesn’t hide the OS (you can’t in JS and we say so in navigator) - what we did, was return windows in the HTTP header for server logs - also think of less value in the data when running in Safest mode (no JS). But even then, without JS you can still (with extra perf costly work) get the OS
However, in TB14+ we no longer do this.
1 Like
Indeed Mozilla switched to Wayland by default, but we reverted to X11 by default.
The answer is: we don’t know yet.
Potentially Wayland vs. X11 might be fingerprintable, but we don’t know what to test to be sure about whether this is the case.
1 Like
Sites that return values are great, if they are correct (some sites have faulty tests including coveryourtracks). Interpreting them requires an in depth knowledge of fingerprinting and likely some knowledge of TB’s protection methods/patches. Just because you think the user agent is “butchered” doesn’t mean that’s the end game - whilst some metrics are “entangled” (e.g. fonts + canvas + colors etc can expose link colors, link underlining, fonts, font aliasing and graphics rendering etc) or share equivalency, each is a metric in it’s own right and affects your fingerprint.
IDK if wayland does, yet!
PS: Sites that return an entropy figure or declare you are unique or not - don’t trust those words. By all means trust the metrics, e.g. screen size, language, etc - just don’t trust any of the nonsense about entropy or uniqueness
3 Likes
Asking here a year later, has there been any progress on determining if switching to Wayland risks creating a unique fingerprint? I’m using the Tor Browser Launcher (installed using APT as recommended) on Ubuntu and the Tor Browser defaults to (Xwayland) X11, which is known to be a serious security issue.
I recently checked and Tails is running the Tor Browser in Wayland (maybe ever since the 5.8 release in December 2022?) but I’m not sure if that means it’s a good idea for everyone else to switch since I heard the Tails Tor Browser may have its own distinct fingerprint due to Tails’ customization, such as installing uBlock Origin.
Asking here a year later
wayland vs X11 alters your fingerprint if a script looks hard enough - I won’t say exactly how - it’s not a case of some PoC determining a binary outcome, it will manifest in existing known FP methods
1 Like