Closed Bug 1509829 Opened 1 year ago Closed 1 year ago

privacy.resistFingerprinting: UA header, upstream Tor 26146

Categories

(Core :: DOM: Security, defect, P3)

65 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr60 66+ fixed
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- fixed

People

(Reporter: simon.mainey, Assigned: tjr)

References

(Blocks 1 open bug, Regressed 1 open bug)

Details

(Whiteboard: [tor][fingerprinting][domsecurity-backlog1][fp-triaged])

Attachments

(3 files, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

Tor Browser patched the User Agent header from a hard coded limit of four OSes (Windows, Android, Mac, Linux) [see 1], to two (Windows & Android) [see 2]

They did not change the JS navigator object. This was to reduce entropy for Linux and Mac users via HTTP headers, but not break JS functionality

It was suggested/said to upstream this patch to Firefox before the next ESR [see 3]

NOTE: For some reason ESR60 branch lost the `Win64; x64 ` string (I have not confirmed this, but it did happen to Tor Browser 8 based on this branch), so assuming that should be there, lets make sure it is (yes, it is in FF63+, tested myself). But [see 4] where Tim Huang (comment3) couldn't replicate in ESR60. Someone should check ESR and decide if it's worth back porting this patch to that.

[1] https://dxr.mozilla.org/mozilla-central/source/browser/components/resistfingerprinting/test/browser/browser_navigator.js#39-44
[2] https://trac.torproject.org/projects/tor/ticket/26146
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1499478#c6
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1499478




Actual results:

See attachment: which shows TBB vs FF64 (note: we still have the `Win64; x64 ` string
^^ Sorry, I only have a Windows machine, so I can't demonstrate TBB's limit to two OSes. Attachment was to show the `Win64; x64` bit.
Whiteboard: [tor][fingerprinting]
Component: Untriaged → DOM: Security
Product: Firefox → Core
Priority: -- → P3
Whiteboard: [tor][fingerprinting] → [tor][fingerprinting][domsecurity-backlog1]
Whiteboard: [tor][fingerprinting][domsecurity-backlog1] → [tor][fingerprinting][domsecurity-backlog1][fp-triaged]
Tim is on top of this.
Assignee: nobody → tihuang
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Duplicate of this bug: 1518839

IIUC, the whole point for Tor 26146 is for fixing the keyboard shortcuts if we spoof the OS. If that so, we have another option here, we can spoof the modifier state "Meta" in MAC into a "Ctrl" state in keyboard events. With this, we can spoof the OS for not only the HTTP header but also navigator.userAgent and the keyboard shortcuts can still work.

(In reply to Tim Huang[:timhuang] from comment #4)

IIUC, the whole point for Tor 26146 is for fixing the keyboard shortcuts if we spoof the OS. If that so, we have another option here, we can spoof the modifier state "Meta" in MAC into a "Ctrl" state in keyboard events. With this, we can spoof the OS for not only the HTTP header but also navigator.userAgent and the keyboard shortcuts can still work.

Chatted with Tim about this: I am in agreement (and he had a WIP for the keyboard spoofing). However, I'm still going to submit this code for review and hopefully esr60 uplift because:

  1. It would be good to stay in sync with Tor to the extent possible
  2. We're not sure when we will get to the keyboard spoofing work (it will be several months at least)
  3. I just finished the code and I think/hope it's going to work when I test it
  4. I got called out on it over here: https://trac.torproject.org/projects/tor/ticket/26146#comment:73

So assuming there are no hiccups with my patch I will submit it soon and file a followup for the spoofing.

Assignee: tihuang → tom
Attachment #9035394 - Flags: review?(amarchesini)
Attachment #9035394 - Attachment is obsolete: true
Attachment #9035394 - Flags: review?(amarchesini)
Attachment #9035408 - Flags: review?(amarchesini)
Attachment #9035394 - Attachment is obsolete: false
Attachment #9035408 - Flags: review?(amarchesini) → review+
Attachment #9035394 - Attachment is obsolete: true

Comment on attachment 9035408 [details] [diff] [review]
Bug 1509829 - Spoof OS in HTTP User-Agent header for desktop platforms r?baku

Tim if this looks good to you, I'll send it in!

Attachment #9035408 - Flags: review?(tihuang)
Comment on attachment 9035408 [details] [diff] [review]
Bug 1509829 - Spoof OS in HTTP User-Agent header for desktop platforms r?baku

Review of attachment 9035408 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM. Thanks, Tom.
Attachment #9035408 - Flags: review?(tihuang) → review+
See Also: → 1519122

Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dcd5dfecc7b0
Spoof OS in HTTP User-Agent header for desktop platforms r=timhuang,baku

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: Tor patch backport

User impact if declined: Tor will need to carry an additional patch

Fix Landed on Version: 66.0a1 / 20190110214210

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): The code only affects the Resist Fingerprinting mode; is small, and has a test.

String or UUID changes made by this patch:

Attachment #9036571 - Flags: approval-mozilla-esr60?

I'd rather punt on this for 60.5esr so we don't ship this on esr before release. Leaving the approval request in place for 60.6.

Comment on attachment 9036571 [details] [diff] [review]
Bug 1509829 - Spoof OS in HTTP User-Agent header for desktop platforms r=timhuang,baku (esr60)

Fix with a test for a feature that lives behind a pref. Reduces Tor's downstream maintenance burden. Approved for 60.6esr to ship alongside Fx66.
Attachment #9036571 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Regressions: 1610762
You need to log in before you can comment on or make changes to this bug.