Closed Bug 1409269 Opened 2 years ago Closed Last year
spoofed useragent from privacy
.resistfingerprinting conflicts with OS revealed by TCP/IP fingerprinting
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20100101 Steps to reproduce: Set "privacy.resistFingerprinting" to true. Run the IP address leak test at Browserleaks.com (https://browserleaks.com/ip). Create the hidden preference "general.useragentoverride" by setting it to any useragent other than for a Windows OS version. Actual results: The browserleaks test shows that the useragent is "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0", and it shows that the operating system being used is "Linux 3.11 and newer." The former is spoofed (from privacy.resistfingerprinting), and the OS is what my computer actually is. The two conflict. Expected results: There should be an override that allows the spoofed useragent to be changed to a useragent that is based on Linux 3.11 and newer. By restricting the default useragent to Windows, TCP/IP fingerprinting easily reveals the spoofed useragent. The hidden preference "general.useragentoverride" cannot override it. Scrubbing TCP/IP fingerprinting isn't a viable option for recent Linux versions, so a plausible useragent spoof is needed.
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Component: Networking: HTTP → DOM: Security
See Also: → 1333651
Version: 50 Branch → Trunk
2 years ago
Priority: -- → P5
Whiteboard: [fingerprinting] → [fingerprinting][domsecurity-backlog]
2 years ago
Depends on: 1404608
Is this no longer an issue since Bug 1404608 landed? Or did we want to keep it open for consideration for non-Windows/OSX/Android/Linux platforms (we only allow four platform variables)?
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.