Tor Browser 8 and removal of user-agent spoofing

I didn’t see it address on the forum yet, so I’d like to open a discussion regarding what many see to be a dangerous regression:

The latest, current version of TorBrowser (8.0), which is now based on Firefox Quantum, does not spoof the user-agent anymore. It means that using a Linux machine (ex. Whonix) will now send the following header:

Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Instead of the generic Windows header that was used until then for all machines:

Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0

macOS users are also affected by this change and are now identified as MacOS machines.

I am not sure whether this is an upstream issue with Firefox devs or a standalone decision from the Tor developers. I didn’t dig deep in the topic yet, probably more informed users here could add useful details on this matter.

A lot of Tor users are already complaining about this regression and asking for the feature to be brought back. As far as I understand, and this is based on a few superficial readings, the argument made by Tor devs is that since user-agent spoofing is impossible against advanced techniques, it is better to remove it altogether, as it blocks usability and reduces user-friendliness of TorBrowser (ex. macOS users unable to correctly display Google docs…).

To me it is very concerning, as using TorBrowser on Whonix will now automatically send a Linux User-Agent header, which greatly stands us out and reduce anonimity… I understand that user-agent spoofing is defenseless against advanced, yet easily deployable techniques, but far from all websites actually implement such tricks… Most websites do not attempt to verify whether the user-agent being sent by the client is real or not.

Can we think of any workaround to provide a Whonix TorBrowser (8.0) which would still feature user-agent spoofing? What are your thoughts?

Afaik the decision was made by the tor project. You could certainly change the user agent by building the browser from source. There is also general.useragent.override in about:config. Though it does not seem to change anything. I’d also welcome very much if they change the feature back. There is lots of discussion going on on the blog and somewhere on trac.torproject.org.

I read somewhere that TPO and Mozilla decided that modifying the user agent is unsustainable and relatively easy to defeat especially on mobile so they are not going to bother doing it anymore. Not the end of the world.

I guess the point is it doesn’t do anything against medium-advanced level attackers i.e. there are obvious network and other signatures that say “Linux user”.

Even some of those half-baked browser leak websites can detect you are running Linux (guesstimate) based on various characteristics; from memory, even without JavaScript enabled.

The Tor Project has assessed it is “magic, secret sauce” that makes users feel good, but does nothing to deal with realistic threats i.e. protocol changes and other major design issues need to be addressed to prevent this fingerprinting.

So, they removed it to smash the fantasy.

I understand the reasoning behind this decision, and the fact that user-agent spoofing can be easily defeated. This being said it doesn’t change the fact that AFAIK most websites DO NOT implement advanced de-spoofing techniques, and so I really don’t see the point of removing such a useful feature, even if it is easily defeated. It is still an important tool, even if a weak one, against fingerprinting attempts.

When before the change we were identified on 99% of websites as standard Windows users, even with the knowledge that the real underlying platform could be easily identified, now we are identified as Linux users 100% of the time. Which really stands us out. I don’t want news websites, web forums, e-mail providers, etc. to automatically know that I am a Linux user. And I am pretty confident that these services I use do not bother to look for Linux network signatures, fonts, JavaScript, etc. to check whether my user-agent is legit. Now they don’t even need to, they already know I am a Linux user. And there’s nothing I can do about it. Linux user + Tor exit node -> I am sure this will lead to proactive blocking on a lot of websites, as this combination will surely mean “dangerous hacker/anonymous activist” to them…

I am looking into add-ons that provide such features, but I really don’t like the idea to rely on third-party providers… Any suggestion on reliable user-agent spoofing add-ons?

What you can do is use Windows as a VM connecting through Whonix Gateway.

Now, it been mentioned here in the past that advanced fingerprinting techniques can detect that you are inside a VM, and I have indeed saw a program that does it and verified it by myself, but the sites you mention probably don’t run this test.

This will of course expose you to a series of other issues.

In general I also don’t like the approach that if something can be beaten it shouldn’t be applied as protection at all. We have just seen that the “NoScript” button and “safest” settings of Tor Browser v.7 were in fact beaten. Was that protection an illusion as well? I say no, not from most websites. Is there now a new similar exploit against the new version of NoScript or Tor v.8? well, we don’t know, but can we just assume there isn’t after the last version was compromised in this sense?

We can take a step further and say, we can assume advanced adversaries have 0day exploits against many other linux / tor / whonix / tails / filezilla / thunderbird / whatever component, should we just give all our protection that is still effective in most cases? I say no.

I don’t want to use a Windows VM…

I completely agree with what you said, this logic is flawed, why then even bother using Tor/Whonix, etc.?

Build it from source instead?

Algernon:

Build it from source instead?

While I applaud the exercise, not sure that’s great. You’d stick out as
the one who went through the rain dance of recompiling.

Uniformness is unfortunately not so much compatible with Libre Software
individualism.

True, but depends on what is used for fingerprinting/tracking. If it just the user agent you might be better of. If other ways are used on top you can get tracked easier.

Not if everyone would be recompiling

How would building from source make you stand out? Is it something that can be seen/fingerprinted? Does a self-compiled TorBrowser somehow “shows” that it has been compiled from source?

user-agent spoofing is impossible against advanced techniques

So you’d be the one with Windows browser agent who went through the rain dance of compilation that yet can be detected being a Linux user through advanced techniques.

Every single “extra” step you take will make you stand out even more. You have to trust that upstream is making decisions in your best interest and according to a deeper understanding of the topic.