Closed Bug 1529391 Opened 5 years ago Closed 3 years ago

Don't spoof version number in User Agent with privacy.resistFingerprinting enabled

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: viktor_jaegerskuepper, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fingerprinting][domsecurity-backlog])

Bug 1527747 made me think about the reason why the version number in the User Agent is spoofed to the latest ESR release. I couldn't find any reasoning for this, it is just the current situation seen in Tor Browser which is of course based on ESR.

In the section "Cross-Origin Fingerprinting Unlinkability" in the Tor Browser design document [1] I found the following:
"Due to vast differences in feature set and implementation behavior even between different (minor) versions of the same browser, browser vendor and version differences are simply not possible to conceal in any realistic way. It is only possible to minimize the differences among different installations of the same browser vendor and version."

I think it is more reasonable to not spoof the version number, not only to avoid breakage, but also because it isn't clear to me how spoofing it would be fundamentally better. Not spoofing it wouldn't change anything for ESR nor for Tor Browser, the latter being essential for this upstream bug.

There are probably several counter-arguments, I have already thought of some, but none of them convinced me to not file this bug. So I leave it up to anti-fingerprinting experts to decide on this. Since the anti-fingerprinting option is (still) not exposed in the UI, I believe this issue isn't really urgent. And "spoofing" the version number in the User Agent back to its original value isn't really hard.

I hope that my proposal makes sense. Please let me know if something isn't clear to you.

[1] https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

Just playing devil's advocate: pros and cons for lack of a better word

info

  • Firefox is not trying to look like the Tor Browser (just to make that clear)
  • I'm not sure of the exact numbers, but most Firefox users migrate to new releases within about a week, and then the uptake quickly tapers off
  • 90% (again, not sure on exact numbers) use current stable, 10% use ESR
  • Dev and Nightly, I am not sure on numbers, but as explained elsewhere, these are not to be considered due to their nature - e.g we do not keep them masked as current ESR for one cycle in Dev and two cycles in Nightly, when they already diverge from the fingerprint

pros

  • Breakage, IMO, is rare, but as the Amazon Video ticket shows, would be reduced, which is a good thing for uptake when RFP becomes front facing
  • A changing version is not static: fingerprinting likes stability in it's metrics
  • It is trivial in JS to detect the Firefox release through feature detection using changes that the end user cannot modify (e.g via a pref)

cons

  • If the version wasn't spoofed to the lowest common denominator (ESR makes sense), then it would create more entropy - it would definitely splinter RFP users into two main buckets: ESR vs stable
  • It will disproportionately affect the smaller groups: ESR, slightly older packages yet to update on Linux
  • As mention in pros: it is trivial to detect the real version, but does anyone bother in the wild, considering all the other lower hanging fruit (but we should still address it)
  • There is a difference between giving away free entropy and making fingerprinting work for it: e.g disabling JS doesn't change the HTTP header
  • In Firefox, the most common version is actually current stable, not ESR - but it doesn't matter what is used, as long as all RFP users are the same (and you can only do that using a lower common denominator: ESR)

This is similar to spoofing the OS, which was limited to 2 OSes, then to 4, and since then is hopefully going to returned back to 2 OSes (when we fix the breakage) - i.e we're still determined to spoof the OS, and we always seem to find ways to fix the breakage (why is Amazon breaking for ESR agent). IMO, we should still spoof the version number: giving away free entropy is madness :)

FYI: Here is feature detection for Firefox 60+ (currently stops at 65)
[1] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#useragent - see the version entry
[2] source: https://ghacksuserjs.github.io/TorZillaPrint/js/useragent.js

Viktor, thank you for bringing up this topic and thank Simon for the great statement of pros and cons.

I agree with everything Simon said in comment 1. We should keep spoofing the version number for Resist Fingerprinting mode.
But I'll check with Tor Uplift team for confirmation.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3

Arthur and Tom, what do you think?

Flags: needinfo?(tom)
Flags: needinfo?(arthur)
Whiteboard: [fingerprinting][domsecurity-backlog]

Record the discussion in the Tor Uplift meeting.

Arthur's suggestion: We shouldn't stop spoofing version number in UA just because the breakage on Amazon Prime Video. But we should find out how many breakages are caused by this behavior. We might want to change the way we spoof version number based on the investigation.

Keep this bug open to track this issue.

Flags: needinfo?(arthur)

+1

I'll also point to the previous discussion: https://lists.torproject.org/pipermail/tbb-dev/2017-October/thread.html (impossible fights)

Flags: needinfo?(tom)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX

I guess this bug is also obsolete because of bug 1609304.

You need to log in before you can comment on or make changes to this bug.