Closed Bug 1404608 Opened 2 years ago Closed 2 years ago

Do not lie about Operating System when privacy.resistFingerprinting is true

Categories

(Core :: DOM: Security, defect, P3)

57 Branch
All
Android
defect

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox59 --- fixed

People

(Reporter: crunchying, Assigned: timhuang)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-backlog3][fingerprinting-breakage])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.1.1 Safari/603.2.4

Steps to reproduce:

set `privacy.resistFingerprinting' to True


Actual results:

pages loading are now for desktop because the user agent is for Windows


Expected results:

I know the specific user agent is chosen because it is very common, but would it be possible to choose another, very common user agent on mobile so that it doesn't load desktop pages?
We'd have to include Android-specific #ifdefs in the nsRFPService (https://dxr.mozilla.org/mozilla-central/search?q=path%3AnsRFPService).

Given that Firefox on Android is unfortunately quite a bit more exotic than on Desktop, I'm not sure whether we want to continue using a generic Firefox UA, or pretend to be some completely other browser altogether (presumably Chrome for maximum anonymity)? Although if you're really paranoid about this, spoofing a Chrome UA presumably won't help either, because there are  probably enough other ways of detecting that your browser isn't in fact Chrome even if your UA claims it is, so it might be safer after all to just use a generic mobile Firefox UA.

In any case this is something the Anti-Fingerprinting team should decide, so leaving this to them.
Status: UNCONFIRMED → NEW
Component: General → DOM: Security
Ever confirmed: true
OS: Unspecified → Android
Product: Firefox for Android → Core
Hardware: Unspecified → All
Version: Firefox 57 → 57 Branch
(In reply to Jan Henning [:JanH] from comment #1)
> We'd have to include Android-specific #ifdefs in the nsRFPService
> (https://dxr.mozilla.org/mozilla-central/search?q=path%3AnsRFPService).

We might have to do this.

I expect the fingerprinting issues and defenses will be different between mobile and desktop.
Maybe we could refer to how does Orfox (Tor Browser for Android) do in ths case.

However, we as the anti-fingerprinting team, have not really dived into the mobile area yet.
Before we start to research on it, should we disallow any chance for the users to enable
anti-fingerprinting for now?
Priority: -- → P2
Priority: P2 → P3
Whiteboard: [domsecurity-backlog3]
Duplicate of this bug: 1409001
See Also: → 1396468
Whiteboard: [domsecurity-backlog3] → [domsecurity-backlog3][fingerprinting-breakage]
I'm generalizing this bug. Bug 1409269 reminded us that trying to spoof the OS is really hard. See https://lists.torproject.org/pipermail/tbb-dev/2017-October/000642.html for some discussion here.

Bug 1409269 showed that in the FF case, we are pretty much always going to reveal the OS if Tor is not used (even if all the other vectors were solved), so we decided we should stop lying about the OS and switch to using four OSes: Windows, Mac, Android, and Linux. (And if you're not one of the first three, you're Linux. So *BSDs and the like will probably be fingerprintable as not-Linux.)

Resolving this should fix Bug 1405810 also.
Summary: resist fingerprinting gives desktop pages on mobile → Do not lie about Operating System when privacy.resistFingerprinting is true
Assignee: nobody → tihuang
Comment on attachment 8940961 [details]
Bug 1404608 - Reveal the real operating system when fingerprinting resistance is enabled.

https://reviewboard.mozilla.org/r/211236/#review217090

::: toolkit/components/resistfingerprinting/nsRFPService.h:37
(Diff revision 1)
> +#define SPOOFED_UA_OS      "X11; Linux x86_64"
> +#define SPOOFED_APPVERSION "5.0 (X11)"
> +#define SPOOFED_OSCPU      "Linux x86_64"
> +#define SPOOFED_PLATFORM   "Linux x86_64"
> +#else
> +// We still use windows user-agent for unknown platforms.

Couldn't you just drop #ifdef XP_WIN part and start from #if defined(XP_MACOSX)
Then we'd fallback to the Windows. Less duplication. Add a comment that it is the default.
Attachment #8940961 - Flags: review?(bugs) → review+
I think it would be best to use Linux as the default version for unknown platforms - it's most likely those platforms mimic linux (BSDs, SunOS, etc).
Comment on attachment 8940961 [details]
Bug 1404608 - Reveal the real operating system when fingerprinting resistance is enabled.

AppConstants.platform returns "linux" on FreeBSD or any other Gtk platform.

https://searchfox.org/mozilla-central/rev/cf149b7b63ff/toolkit/modules/AppConstants.jsm#151

$ ./mach test browser/components/resistfingerprinting/test/browser/browser_navigator.js
[...]
mochitest-browser: 29/43
  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.appVersion is correctly spoofed. - Got 5.0 (Windows), expected 5.0 (X11)
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testNavigator:67

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.platform is correctly spoofed. - Got Win64, expected Linux x86_64
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testNavigator:68

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.userAgent is correctly spoofed. - Got Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0, expected Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testNavigator:69

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.oscpu is correctly spoofed. - Got Windows NT 6.1; Win64; x64, expected Linux x86_64
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testNavigator:72

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.appVersion is correctly spoofed. - Got 5.0 (Windows), expected 5.0 (X11)
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testWorkerNavigator:105

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.platform is correctly spoofed. - Got Win64, expected Linux x86_64
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testWorkerNavigator:106

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.userAgent is correctly spoofed. - Got Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0, expected Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testWorkerNavigator:107

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.appVersion is correctly spoofed. - Got 5.0 (Windows), expected 5.0 (X11)
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testNavigator:67

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.platform is correctly spoofed. - Got Win64, expected Linux x86_64
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testNavigator:68

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.userAgent is correctly spoofed. - Got Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0, expected Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testNavigator:69

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.oscpu is correctly spoofed. - Got Windows NT 6.1; Win64; x64, expected Linux x86_64
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testNavigator:72

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.appVersion is correctly spoofed. - Got 5.0 (Windows), expected 5.0 (X11)
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testWorkerNavigator:105

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.platform is correctly spoofed. - Got Win64, expected Linux x86_64
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testWorkerNavigator:106

  TEST-UNEXPECTED-FAIL | browser/components/resistfingerprinting/test/browser/browser_navigator.js | Navigator.userAgent is correctly spoofed. - Got Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0, expected Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Stack trace:
chrome://mochikit/content/browser-test.js:test_is:1269
chrome://mochitests/content/browser/browser/components/resistfingerprinting/test/browser/browser_navigator.js:testWorkerNavigator:107
Attachment #8940961 - Flags: feedback-
Attachment #8940961 - Flags: feedback-
Comment on attachment 8940961 [details]
Bug 1404608 - Reveal the real operating system when fingerprinting resistance is enabled.

https://reviewboard.mozilla.org/r/211236/#review217142

::: toolkit/components/resistfingerprinting/nsRFPService.h:31
(Diff revision 1)
> +#elif defined(MOZ_WIDGET_ANDROID)
> +#define SPOOFED_UA_OS      "Android 6.0; Mobile"
> +#define SPOOFED_APPVERSION "5.0 (Android 6.0)"
> +#define SPOOFED_OSCPU      "Linux armv7l"
> +#define SPOOFED_PLATFORM   "Linux armv7l"
> +#elif defined(XP_LINUX)

Maybe check `MOZ_WIDGET_GTK` here to fix comment 8.
Comment on attachment 8940961 [details]
Bug 1404608 - Reveal the real operating system when fingerprinting resistance is enabled.

https://reviewboard.mozilla.org/r/211236/#review217340

::: toolkit/components/resistfingerprinting/nsRFPService.h:16
(Diff revision 1)
>  
>  #include "nsString.h"
>  
>  // Defines regarding spoofed values of Navigator object. These spoofed values
>  // are returned when 'privacy.resistFingerprinting' is true.
> -#define SPOOFED_APPNAME    "Netscape"
> +#ifdef XP_WIN

I would suggest adding a comment here that explains why we have decided to expose the platform. Namely that it is easy to detect platform anyway, so we reduce breakage by not hiding the platform in the navigator object.
Attachment #8940961 - Flags: review?(arthuredelstein) → review+
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/9c586454144b
Reveal the real operating system when fingerprinting resistance is enabled. r=arthuredelstein,smaug
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/9c586454144b
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Duplicate of this bug: 1405810
Any change of backporting this to 58?
(In reply to Simon Mainey from comment #16)
> Any change of backporting this to 58?

Usually, we don't uplift patches for disabled features.
Also, today is the last build of 58 Beta.  It's unlikely we can uplift it to 58.
I think this chance should be reverted.

1 Feature detection relies on JS highly. No JS - no feature detection.
2 Though it can be possible to fingerprint a phohe vs a tablet vs a desktop vs a laptop via CSS, I guess as much as possible still be mitigated
3 Though it can be possible to fingerprint tcp/ip stack to get the OS, I guess we should still spoof the OS in useragent and maybe consider using a userspace tcp/ip stack.

Why have you removed this?
*change
*still should
This snippet in our appcfg on Linux says enough i think...
> // We DONT want to use this because it modifies UserAgent tobe a Windows OS...
> lockPref('privacy.resistFingerprinting',			false)
Duplicate of this bug: 1441003
You need to log in before you can comment on or make changes to this bug.