I didn’t see it address on the forum yet, so I’d like to open a discussion regarding what many see to be a dangerous regression:
The latest, current version of TorBrowser (8.0), which is now based on Firefox Quantum, does not spoof the user-agent anymore. It means that using a Linux machine (ex. Whonix) will now send the following header:
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Instead of the generic Windows header that was used until then for all machines:
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
macOS users are also affected by this change and are now identified as MacOS machines.
I am not sure whether this is an upstream issue with Firefox devs or a standalone decision from the Tor developers. I didn’t dig deep in the topic yet, probably more informed users here could add useful details on this matter.
A lot of Tor users are already complaining about this regression and asking for the feature to be brought back. As far as I understand, and this is based on a few superficial readings, the argument made by Tor devs is that since user-agent spoofing is impossible against advanced techniques, it is better to remove it altogether, as it blocks usability and reduces user-friendliness of TorBrowser (ex. macOS users unable to correctly display Google docs…).
To me it is very concerning, as using TorBrowser on Whonix will now automatically send a Linux User-Agent header, which greatly stands us out and reduce anonimity… I understand that user-agent spoofing is defenseless against advanced, yet easily deployable techniques, but far from all websites actually implement such tricks… Most websites do not attempt to verify whether the user-agent being sent by the client is real or not.
Can we think of any workaround to provide a Whonix TorBrowser (8.0) which would still feature user-agent spoofing? What are your thoughts?