Thread

I havent followed this much, so Im confused. Did they have a purported reason for removing spoofing, or is it just undeniably blatant corruption? Personally, I think Tor development has been compromised since the Jacob Appelbaum stuff

Thank you for pointing this out. Missed this completely.

So this was going on since 2020 as issues and forum discussions. As a Linux user I feel betrayed.

TOR browser now leaks your operating system. The privacy browser opted for compatibility over privacy. 😢 nostr:nevent1qqs0hj6g5da3ye2mezfq8d4lag7mp9ku8jmt43yga3hsprmd0ne6vaqpz4mhxue69uhkummnw3ezummcw3ezuer9wchsygrxsyng4nj8fr2p5n8uc8nyqphmjddmcdvhs2eajcglvn23ce6jmypsgqqqqqqsz9vy7y

Web client Linux is a 2.5% minority. Outrageous to expose this to whatever website you are visiting.

where is the discussion? is there a technical reason for the is spoofing?

According to the Tor Project, proposals for this change were introduced in September 2024 with the Tor Browser 14.0a4 release, calling on the Tor community to provide feedback. They say they received very little feedback. You should add this to the timeline.

The Tor project gave several reasons for the change, but the most important detail is probably that even without this change, passive methods have always existed to determine the platform. In other words, even when platform spoofing in HTTP headers was still implemented, and even when Javascript was disabled, it is still possible to determine what operating system a person was using. In other words, the only effects of OS spoofing in HTTP headers was creating problems for user experience and providing a false sense of OS anonymity.

Do you happen to know roughly how it's possible to determine the OS?

I found an article on the topic. https://proxidize.com/blog/passive-os-fingerprinting/ Essentially, browsers do not come packaged with their own low level internet browsing code. AKA the TCP/IP stack. Instead they rely on the operating system's built in features to connect to IP addresses. This code behaves differently between different browsers and so it results in an identifiable fingerprint. You can follow this link to see what it might look like: https://browserleaks.com/ip It sounds like this would be easy to solve. Just don't do that. Statically link OS independent TCP/IP code to package it with the Tor Browser and ignore the OS's version entirely. I'm not sure what the problem with this would be, but my guess is that this would require bypassing important OS security features like firewalls and network interface drivers. I imagine that most operating systems would take issue with random userspace programs doing that, and Tor doesn't want to run as an administrator. I haven't tried to write any web servers or web clients so I don't have any idea what is and isn't possible.

I found this: https://discuss.privacyguides.net/t/sam-bent-tor-browser-s-latest-update-could-get-you-fingerprinted/26973/6 Basically if you are asking whether the decision is intended to affect privacy somehow, it isn't. Really the deal is that TCP/IP connections look slightly different from eachother depending purely on the operating system sending the data, so even with spoofed OS information in HTTP headers and even with Javascript disabled attackers can still passively identify the operating system. The Tor Project weakened their HTTP OS spoofing to fix some inconvenient behavior, but it's still nothing that couldn't be determined anyway.