privacy.resistFingerprinting: UA header, upstream Tor 26146
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: thorin, Assigned: tjr)
References
(Blocks 1 open bug, Regressed 2 open bugs)
Details
(Whiteboard: [tor][fingerprinting][domsecurity-backlog1][fp-triaged])
Attachments
(3 files, 1 obsolete file)
|
38.30 KB,
image/png
|
Details | |
|
13.87 KB,
patch
|
baku
:
review+
timhuang
:
review+
|
Details | Diff | Splinter Review |
|
13.77 KB,
patch
|
RyanVM
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
UserAgent-comparison.png
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Steps to reproduce: Tor Browser patched the User Agent header from a hard coded limit of four OSes (Windows, Android, Mac, Linux) [see 1], to two (Windows & Android) [see 2] They did not change the JS navigator object. This was to reduce entropy for Linux and Mac users via HTTP headers, but not break JS functionality It was suggested/said to upstream this patch to Firefox before the next ESR [see 3] NOTE: For some reason ESR60 branch lost the `Win64; x64 ` string (I have not confirmed this, but it did happen to Tor Browser 8 based on this branch), so assuming that should be there, lets make sure it is (yes, it is in FF63+, tested myself). But [see 4] where Tim Huang (comment3) couldn't replicate in ESR60. Someone should check ESR and decide if it's worth back porting this patch to that. [1] https://dxr.mozilla.org/mozilla-central/source/browser/components/resistfingerprinting/test/browser/browser_navigator.js#39-44 [2] https://trac.torproject.org/projects/tor/ticket/26146 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1499478#c6 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1499478 Actual results: See attachment: which shows TBB vs FF64 (note: we still have the `Win64; x64 ` string
|
Reporter | |
Comment 1•6 years ago
|
||
^^ Sorry, I only have a Windows machine, so I can't demonstrate TBB's limit to two OSes. Attachment was to show the `Win64; x64` bit.
|
Assignee | |
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Comment 4•6 years ago
|
||
IIUC, the whole point for Tor 26146 is for fixing the keyboard shortcuts if we spoof the OS. If that so, we have another option here, we can spoof the modifier state "Meta" in MAC into a "Ctrl" state in keyboard events. With this, we can spoof the OS for not only the HTTP header but also navigator.userAgent and the keyboard shortcuts can still work.
|
|
Assignee | |
Comment 5•6 years ago
|
||
(In reply to Tim Huang[:timhuang] from comment #4)
IIUC, the whole point for Tor 26146 is for fixing the keyboard shortcuts if we spoof the OS. If that so, we have another option here, we can spoof the modifier state "Meta" in MAC into a "Ctrl" state in keyboard events. With this, we can spoof the OS for not only the HTTP header but also navigator.userAgent and the keyboard shortcuts can still work.
Chatted with Tim about this: I am in agreement (and he had a WIP for the keyboard spoofing). However, I'm still going to submit this code for review and hopefully esr60 uplift because:
- It would be good to stay in sync with Tor to the extent possible
- We're not sure when we will get to the keyboard spoofing work (it will be several months at least)
- I just finished the code and I think/hope it's going to work when I test it
- I got called out on it over here: https://trac.torproject.org/projects/tor/ticket/26146#comment:73
So assuming there are no hiccups with my patch I will submit it soon and file a followup for the spoofing.
|
|
Assignee | |
Comment 6•6 years ago
|
||
|
|
Assignee | |
Comment 7•6 years ago
|
||
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 8•6 years ago
|
||
Comment on attachment 9035408 [details] [diff] [review]
Bug 1509829 - Spoof OS in HTTP User-Agent header for desktop platforms r?baku
Tim if this looks good to you, I'll send it in!
|
|
||
Comment 9•6 years ago
|
||
Comment on attachment 9035408 [details] [diff] [review] Bug 1509829 - Spoof OS in HTTP User-Agent header for desktop platforms r?baku Review of attachment 9035408 [details] [diff] [review]: ----------------------------------------------------------------- LGTM. Thanks, Tom.
|
|
Assignee | |
Updated•6 years ago
|
|
||
Comment 10•6 years ago
|
||
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dcd5dfecc7b0
Spoof OS in HTTP User-Agent header for desktop platforms r=timhuang,baku
|
||
Comment 11•6 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 12•6 years ago
|
||
[ESR Uplift Approval Request]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: Tor patch backport
User impact if declined: Tor will need to carry an additional patch
Fix Landed on Version: 66.0a1 / 20190110214210
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): The code only affects the Resist Fingerprinting mode; is small, and has a test.
String or UUID changes made by this patch:
|
||
Comment 13•6 years ago
|
||
I'd rather punt on this for 60.5esr so we don't ship this on esr before release. Leaving the approval request in place for 60.6.
|
||
Comment 14•6 years ago
|
||
Comment on attachment 9036571 [details] [diff] [review] Bug 1509829 - Spoof OS in HTTP User-Agent header for desktop platforms r=timhuang,baku (esr60) Fix with a test for a feature that lives behind a pref. Reduces Tor's downstream maintenance burden. Approved for 60.6esr to ship alongside Fx66.
|
||
Comment 15•6 years ago
|
||
| bugherder uplift | ||
Description
•