Closed Bug 1650427 Opened 10 months ago Closed 9 months ago

RFP Should report OS as Linux when on Linux

Categories

(Core :: DOM: Security, defect, P2)

All
Linux
defect

Tracking

()

RESOLVED INVALID
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 --- wontfix
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- wontfix

People

(Reporter: luis.machuca, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:0.0) Gecko/20100101 Firefox/0.0

Steps to reproduce:

1.- Install Linux (Debian 10 Stable)
2.- Install Firefox ESR (latest is 68 from the available packaging)
3.- about:config set "privacy.resistFingerprinting" to true
4.- Visit any number of UA and OS identification sites, for example [https://gs.statcounter.com/detect] or [https://www.whatismybrowser.com/detect]

Actual results:

Firefox version is reported as 68, as expected.
Operating System is reported as "Windows 10", not as expected.

Expected results:

Firefox version is reported as 68, as expected.
Operating System is reported to a widely-known variant or distribution of Linux, such as "Ubuntu", as expected.

Detecting or at least inferring the potential real OS behind the connection is already possible via other techniques such as examination of the TCP/IP communication process and, in the case of public IPs, xprobe. Reporting the wrong OS might give away the user's uniqueness.

Furthermore, reporting OS as Windows 10 harms the credibility of Linux as a product by reporting a lower market share and usage, and promotes Windows 10 which is a dangerous operating system for the privacy and security of persons. It also forces privacy-minded users, the main userbase segment that would have motive to use both Linux and Firefox, to do a disservice to Linux as their platform of choice.

If anything, Firefox on Lnux should report that it's running on something like "Ubuntu" depending on distro marketshare.

Furthermore, if a fix is made it could be useful to make it available to at least the previous stable ESR (eg.: 68 once the next ESR hits, or 60 if the fix is released while in 68's cycle)

I can confirm this issue, reproduced it on the latest Nightly 80.0a1, Firefox 79 Beta 6, Firefox 78.0.2, Firefox 78.0.2 esr and Firefox 68.10.0 esr on Ubuntu 18.04.
Beside of the OS version not being correctly identified (instead of Linux, I see Windows 10), the version of the actual browser is not the exact one on Nightly 80.0a1 and on Firefox 79 beta 6 where the identified version is Firefox 78.
Setting this issue to NEW.

Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
OS: Unspecified → Linux
Product: Firefox → Core
Hardware: Unspecified → All
Version: 68 Branch → Trunk
Severity: -- → S3
Priority: -- → P2
Whiteboard: [domsecurity-backlog1]

The difference is from Bug 1509829 : some sites use the header, some use navigator properties. Originally RFP spoofed both as one of only two possible results (windows, android), but then due to breakage (see Bug 1404608 ) it was decided to use four values (you can't really hide your OS anyway). But then Tor Browser decided that we could make it harder for passive fingerprinting (especially when the Tor Browser's slider is at safest) without much/any breakage by limiting the header back to two values, but leaving the navigator as four due to breakage (e.g. see Bug 1519122 for the main reason there is breakage)

So we're all good. As for the value returned by Linux distros in navigator: as long as everyone is the same, then the RFP set of users is solid on this metric (and you can't hide that you're using RFP)

ni'ing tom to confirm and close

Flags: needinfo?(tom)

(In reply to luis.machuca from comment #0)

Detecting or at least inferring the potential real OS behind the connection is already possible via other techniques such as examination of the TCP/IP communication process and, in the case of public IPs, xprobe. Reporting the wrong OS might give away the user's uniqueness.

You are correct; however this setting is not made for Firefox; but Tor Browser which does not suffer from these problems.

Furthermore, reporting OS as Windows 10 harms the credibility of Linux as a product by reporting a lower market share and usage, and promotes Windows 10 which is a dangerous operating system for the privacy and security of persons. It also forces privacy-minded users, the main userbase segment that would have motive to use both Linux and Firefox, to do a disservice to Linux as their platform of choice.

RFP is intentionally designed to report values that correspond to the majority of users in situations like these. We chose the cpu count based on majority usage and Windows and its sub-version based on the majority of users.

This is working as intended; although I understand and appreciate that you would prefer it work a different way.

Status: NEW → RESOLVED
Closed: 9 months ago
Flags: needinfo?(tom)
Resolution: --- → INVALID

(In reply to luis.machuca from comment #0)

Detecting or at least inferring the potential real OS behind the connection is already possible via other techniques such as examination of the TCP/IP communication process and, in the case of public IPs, xprobe. Reporting the wrong OS might give away the user's uniqueness.

You can detect the OS (and often the actual Linux distro!) client side in many ways: e.g. inspect the font used on a checkbox widget. In an enclosed set such as RFP users, all Linux users will still all be the same re header vs navigator: there is no added entropy by lying as Windows vs returning Linux for the header

You need to log in before you can comment on or make changes to this bug.