Re: [tor-bugs] #27495 [Applications/Tor Browser]: Tor Browser 8.0 wrong user-agent

[Tor Bug Tracker & Wiki]

#27495: Tor Browser 8.0 wrong user-agent
--+---
 Reporter:  temp123   |  Owner:  tbb-team
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  duplicate
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+---

Comment (by H7gQsKnpvf3nB7NWYtdhtDyECtySfgyx):

 A troll vandalized my comment with "We use Tor." so I'm going to replicate
 my earlier comment with a different account:

 Replying to [comment:2 arma]:
 > (I hear from the tor browser devs that they are no longer trying to lie
 about user agent, (a) because you can't actually convincing lie,
 1) Not everyone does OS detection with JS, so the trackers who use the UA
 only (i.e. without JS detection) are duped, 2) with JS disabled there's no
 reliable way to tell exactly the OS (except some CSS bugs from now and
 then),
 > because there are so many other components that would have to change
 too,
 3) these elements can be changed too in the long term (search for a
 keyword that sounds like tbb-fingerprinting-os or something). We can have
 fantastic dreams, right?

 > and (b) because when Android enters the scene, they won't want to get
 served the non-mobile version of pages.
 Mobile vs desktop distinction is justifiable, and it entails nothing for
 the case we're dealing with here.

 Replying to [comment:4 gk]:
 > Not only is it more than confusing to get always a random .exe file
 offered for download even though you are not on Windows but things like
 Google apps were actually broken for macOS users (see:
 ​https://bugzilla.mozilla.org/show_bug.cgi?id=1405810)

 This is kinda ironic considering that logging into your Google account to
 use Google Docs with Tor is straight-up *impossible* unless one does the
 SMS verification - or partial de-anonymization to put it in another
 fashion (except for the folks who buy SMS boxes with Bitcoin). So we're
 doing trading-off a situation that only a very limited number of Mac OS
 (marketshare is low) *and* Tor users encounter for the global Tor populace
 (the reports come from a standard Firefox for a reason)? This is even more
 ironic considering the amount of voluntary breakage that Google makes on
 its websites and services for the standard Firefox and Firefox Mobile, let
 alone the Tor Browser (recent examples in mind: YouTube uses an old
 standard not implemented in Firefox which leads to 5-10sec of delay on
 Firefox vs Chrome, the Google search looked different for Firefox Mobile
 vs Chrome Mobile and would change with a simple UA change to Chrome
 Mobile's UA). In other words trading privacy for hostile Google's
 usability shouldn't be even on our imagination.

 (Another comment:) By the way this is a bad precedent from the great folks
 over there at Mozilla, first party isolation breaks a lot of websites -
 should we then whitelist it for those? Why should we treat first party
 isolation and fingerprinting resistance differently?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #27495 [Applications/Tor Browser]: Tor Browser 8.0 wrong user-agent

[Tor Bug Tracker & Wiki]

#27495: Tor Browser 8.0 wrong user-agent
--+---
 Reporter:  temp123   |  Owner:  tbb-team
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  duplicate
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+---

Comment (by cypherpunks3):

 Replying to [comment:2 arma]:
 > This ticket makes a good point that the useragent is actually set to
 Windows in my about:config, so it sure looks like it's *trying* to set the
 useragent, it's just not actually setting it correctly (or using it).
 >
 > (I hear from the tor browser devs that they are no longer trying to lie
 about user agent, (a) because you can't actually convincing lie, because
 there are so many other components that would have to change too, and (b)
 because when Android enters the scene, they won't want to get served the
 non-mobile version of pages. But I think there are still some arguments in
 favor of setting the useragent to Windows for the desktop version: passive
 website logs only look at user-agent for one, and when the openbsd people
 get their Tor Browser going they'll sure stand out. Oh and a third reason
 is the flood of people who keep thinking there's a bug to report. :)

 The first issue is the most severe. I do not want to be the only person in
 the website logs who is shown as using Linux. The fix is so easy. Is there
 any way we can correct this? Should I be installing a browser extension to
 force the user agent?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #27495 [Applications/Tor Browser]: Tor Browser 8.0 wrong user-agent

[Tor Bug Tracker & Wiki]

#27495: Tor Browser 8.0 wrong user-agent
--+---
 Reporter:  temp123   |  Owner:  tbb-team
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  duplicate
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+---

Comment (by cypherpunks3):

 Replying to [comment:2 arma]:
 > (I hear from the tor browser devs that they are no longer trying to lie
 about user agent, (a) because you can't actually convincing lie,
 1) Not everyone does OS detection with JS, so the trackers who use the UA
 only (i.e. without JS detection) are duped, 2) with JS disabled there's no
 reliable way to tell exactly the OS (except some CSS bugs from now and
 then),
 > because there are so many other components that would have to change
 too,
 3) these elements can be changed too in the long term (search for a
 keyword that sounds like tbb-fingerprinting-os or something). We can have
 fantastic dreams, right?

 > and (b) because when Android enters the scene, they won't want to get
 served the non-mobile version of pages.
 Mobile vs desktop distinction is justifiable, and it entails nothing for
 the case we're dealing with here.

 Replying to [comment:4 gk]:
 >  Not only is it more than confusing to get always a random .exe file
 offered for download even though you are not on Windows but things like
 Google apps were actually broken for macOS users (see:
 ​https://bugzilla.mozilla.org/show_bug.cgi?id=1405810)
 This is kinda ironic considering that logging into your Google account to
 use Google Docs with Tor is straight-up *impossible* unless one does the
 SMS verification - or partial de-anonymization to put it in another
 fashion (except for the folks who buy SMS boxes with Bitcoin). So we're
 doing trading-off a situation that only a very limited number of Mac OS
 (marketshare is low) *and* Tor users encounter for the global Tor populace
 (the reports come from a standard Firefox for a reason)? This is even more
 ironic considering the amount of voluntary breakage that Google makes on
 its websites and services for the standard Firefox and Firefox Mobile, let
 alone the Tor Browser (recent examples in mind: YouTube uses an old
 standard not implemented in Firefox which leads to 5-10sec of delay on
 Firefox vs Chrome, the Google search looked different for Firefox Mobile
 vs Chrome Mobile and would change with a simple UA change to Chrome
 Mobile's UA). In other words trading privacy for hostile Google's
 usability shouldn't be even on our imagination.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #27495 [Applications/Tor Browser]: Tor Browser 8.0 wrong user-agent

[Tor Bug Tracker & Wiki]

#27495: Tor Browser 8.0 wrong user-agent
--+---
 Reporter:  temp123   |  Owner:  tbb-team
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  duplicate
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+---

Comment (by gk):

 Replying to [comment:2 arma]:
 > This ticket makes a good point that the useragent is actually set to
 Windows in my about:config, so it sure looks like it's *trying* to set the
 useragent, it's just not actually setting it correctly (or using it).

 That#s #26146.

 > (I hear from the tor browser devs that they are no longer trying to lie
 about user agent, (a) because you can't actually convincing lie, because
 there are so many other components that would have to change too, and (b)
 because when Android enters the scene, they won't want to get served the
 non-mobile version of pages. But I think there are still some arguments in
 favor of setting the useragent to Windows for the desktop version: passive
 website logs only look at user-agent for one, and when the openbsd people
 get their Tor Browser going they'll sure stand out. Oh and a third reason
 is the flood of people who keep thinking there's a bug to report. :)

 I don't think the third argument is a valid one. Just because an amount of
 (5?, 10?, 1.000?) X people think Y is a bug Y is a bug. The second one is
 neither valid: openbsd and other non macOS *NIXes get a Linux UA. There
 are only fixed UAs for Windows, macOS, Linux, and Android. So, this leaves
 the first one. Sure, there is a trade-off to be made here. While
 upstreaming (and before) we and Mozilla had reports that this US spoofing
 actually breaks Tor Browser. Not only is it more than confusing to get
 always a random .exe file offered for download even though you are not on
 Windows but things like Google apps were actually broken for macOS users
 (see: https://bugzilla.mozilla.org/show_bug.cgi?id=1405810)
 We had https://lists.torproject.org/pipermail/tbb-
 dev/2017-October/000642.html ff. for the discussion.
 So, I think at least for macOS the breakage is not worth the Windows UA.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #27495 [Applications/Tor Browser]: Tor Browser 8.0 wrong user-agent

[Tor Bug Tracker & Wiki]

#27495: Tor Browser 8.0 wrong user-agent
--+---
 Reporter:  temp123   |  Owner:  tbb-team
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:  duplicate
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+---
Changes (by sysrqb):

 * status:  new => closed
 * resolution:   => duplicate


Comment:

 There are some argument on #26146 about this. I'll close this as a dup,
 but please re-open if this is actually different.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #27495 [Applications/Tor Browser]: Tor Browser 8.0 wrong user-agent

[Tor Bug Tracker & Wiki]

#27495: Tor Browser 8.0 wrong user-agent
--+--
 Reporter:  temp123   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by arma):

 This ticket makes a good point that the useragent is actually set to
 Windows in my about:config, so it sure looks like it's *trying* to set the
 useragent, it's just not actually setting it correctly (or using it).

 (I hear from the tor browser devs that they are no longer trying to lie
 about user agent, (a) because you can't actually convincing lie, because
 there are so many other components that would have to change too, and (b)
 because when Android enters the scene, they won't want to get served the
 non-mobile version of pages. But I think there are still some arguments in
 favor of setting the useragent to Windows for the desktop version: passive
 website logs only look at user-agent for one, and when the openbsd people
 get their Tor Browser going they'll sure stand out. Oh and a third reason
 is the flood of people who keep thinking there's a bug to report. :)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #27495 [Applications/Tor Browser]: Tor Browser 8.0 wrong user-agent

[Tor Bug Tracker & Wiki]

#27495: Tor Browser 8.0 wrong user-agent
--+--
 Reporter:  temp123   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by arma):

 * owner:  (none) => tbb-team
 * version:  Tor: unspecified =>
 * component:  - Select a component => Applications/Tor Browser


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs