What information about the computer on which it is running does the Tor Browser currently reveal?

federalmilk · November 2, 2024, 9:05am

Hi everyone,
This might be related to the “change JS version to Windows” conversation. I was under the impression that the browser was pretending to run on Windows, as for years it seemed like the websites I visited with the Tor Browser assumed just that despite it not being correct.

Three days ago I received a warning from Google that I was logging in from a new Linux device, while two weeks ago they assumed I was using Windows. What happened in the meantime? The version I am now using is 14.0.1., the security level is low and should have been always low when logging in with Google.

bakunin1848 · November 2, 2024, 10:16am

Nowadays it is difficult to know, that is why Tor blocks JavaScript.

There are several sites to see what your browser reveal.

I recommend this one:

thorin · November 2, 2024, 1:00pm

New Alpha Release: Tor Browser 14.0a4 | The Tor Project has a section on User Agent Spoofing Changes that should explain all you need to know

edit: Also, don’t go changing any prefs in about:config - the pref mentioned is temporary as the change was implemented - it will be removed

…aaaand just to be clear, the change is align JS and the HTTP Header as the same - we still spoof them to the same values per OS

OnionHead · November 3, 2024, 5:36am

TorZillaPrint

federalmilk · November 4, 2024, 10:48am

Thank you for the link, please correct me if I understand this wrong.

Past behaviour:
HTTP header hides OS, Navigator.userAgent provides OS

New behaviour:
HTTP header and Navigator.userAgent provide OS

Conclusion:
privacy.resistFingerprinting.spoofOsInUserAgentHeader = false
is the new default

(This conclusion seems contrary to the statement ‘disabling spoofing is available to users on an opt-in basis’.)

When you say the JS and HTTP header are still being spoofed, does that mean that now all TBs report running on Linux? Or does that mean that somehow reporting the true OS family is giving less information about the OS than possible?

thorin · November 4, 2024, 11:48am

Info

JS: navigator has a bunch of properties, one of which is navigator.userAgent, there is also navigator.oscpu, navigator.appVersion, navigator.platform and so on.
- Navigator: userAgent property - Web APIs | MDN
HTTP: a browser will send a User-Agent request header
- User-Agent - HTTP | MDN
both should match according to spec

Past

JS: for each OS we only want to return one set of values (userAgent, platform, oscpu, appVersion) - so e.g. windows 7, 8, 8.1, 10, 11 - 32bit or 64bit OS or browser build - are all identical
- so we have four protected/spoofed results in JS
HTTP:
- we would return only two of the four protected spoofed results
- either the android one for mobile, or the windows one for desktop
- this would make linux and mac break the spec, cause some issues, and be used against us

Now

we return one of the four protected/spoofed values in both
this removed any compat/weird issues and removes a point of difference that is used to punish tor browser users

So to recap: we have always protected the userAgent in both JS/headers. We used to return 4 lots in JS and 2 in headers. Now we return 4 in both - but they are still protected

capisce?

thorin · November 4, 2024, 11:56am

to repeat what I said in my first reply (bolding added) - that article was written back in 14.0a4 and I didn’t write it - never agreed with a pref to begin it. It will be ripped out now they have seen the light (that I shine)

don’t go changing any prefs in about:config - the pref mentioned is temporary as the change was implemented - it will be removed

system · November 5, 2024, 11:56am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.