I’ve generally been a fan of Sam Bent’s takes, though not all (e.g. I use VPN and Tor when in using identities with higher threat models but he isn’t a fan for reasons I won’t get into but disagree with).
That said, I’d like to do a vibe check on this one with the community and specifically anyone who might know a plausible explanation for why the Tor project made this move.
Update: Perhaps this linked Issue is part of addressing a compatibility bug but requires the removal of defaults. Looks like you still can set it to the previous functionality if compatibility wasn’t a problem. Sam argues this goes against the conventional design approach of (don’t touch the settings).
I’m only guessing here from titles since the Tor project doesn’t do much explaining on these issues/PRs.
I see why he is getting worried, but he’s missing what the change actually is. Before, js and http headers were reporting different user agents, now they are reporting the same, with the OS taken from a list of 4 possible values (the part he’s missing). So all the QubeOS, OpenBSD and exotic distro getting trivially fingerprinting, that’s not actually right. All Windows are W10, all Android are Android 10, all MacOS are OS X 10.15, and everything else (including BSD) is a Linux running X11.
before, that would show as Windows 10 in the headers, and Linux with X11 in javascript (assuming js is enabled), now that would be Linux with X11 for both.
YouTubers not understanding browser fingerprinting (among many, many other things) is a scourge in the privacy space. Thorin is perhaps the expert when it comes to browser fingerprinting, and Bent doesn’t even know his name in this video.
Around 6:34 Bent’s claim that Tor developers wanting to encourage consistency is “in no way […] some kind of security argument” is beyond ridiculous, when consistency is the entire point of the Tor Browser. Giving “experienced users” (8:42) the option to decide what they want to do in this situation would place them in significant danger because their spoofing would ensure their browser is no longer aligned with anyone else’s.
The operating system is essentially always detectable in Tor Browser. Even with JS disabled, you can detect it through CSS, it’s impossible to solve unless you completely break websites in the process. If this guy had his way then there would be “experienced users” on Linux spoofing their user agent to look like Windows, meaning that malicious website operators could narrow down on them as the only people in the Tor ecosystem on Linux (because again, it’s detectable!) with a Windows user agent.
Anyways, I will +1 @fdb_hiroshima’s response above. This change does not meaningfully impact fingerprinting in Tor Browser, don’t let random internet creators tell you otherwise.
This is why I donate to community forums. Challenging this type of info can be difficult with lack of time and huge learning curve it would take for me to grasp the intricacies of finger printing to refute one way or the other. At some level we need forums like these to crop up around many different areas of expertise to provide fact-checking consensus on potential populist hype preaching.
Regarding the well-meaning, but inaccurate claims in the video, we’re offering this clarification on how user agent protection works in Tor Browser. To support informed discussion, here’s what actually changed, and what hasn’t changed.
We are still protecting user agents: Tor Browser has always limited user agents to general categories: Windows, macOS, Linux, or Android in JavaScript, and Windows or Android in HTTP Headers. That means we spoof the OS version and architecture, which was always the approach in JavaScript–now it’s consistent in HTTP headers too.
Any OS info shown in the user agent does not expose any new information that wasn’t already present with JavaScript. With JavaScript disabled, entropy is already greatly reduced (self-information: e.g. the thousands of JavaScript derived metrics) and even without this change, passive methods have always existed to determine the platform. In fact, asymmetric user agent spoofing triggered anti-fraud and bot-detection scripts breaking websites without added privacy benefits.
Proposals for this change were introduced in September 2024 with
the Tor Browser 14.0a4 release, calling on the Tor community to provide feedback. We received very little feedback and implemented the change.
Tor Browser still offers one of the strongest privacy and anonymity protections for web browsing.
So do you think the risk of this happening (which this change now prevents) is greater than the risk posed by HTTP user agent strings being stored by most standard webserver access logs?
I would agree it probably is, for the record, but I didn’t find conversations where that discussion was actually resolved, and I can see why people who browse in Safest mode could be concerned.
Depending on who you are concerned about. I live in the US and use it with little issue with my ISP seeing I use Tor. I VPN to my house when I’m in public so same thing. The US only has two ISPs and they both report to our gov.
I think it’s usage is becoming more common based on hearsay but no metrics.
That said, if you don’t want your ISP or public networks to know you’re Torin it up, then use Mullvad VPN.
This should be obvious knowledge to anyone who looked into the specifics of for example how Arkenfox worked in the past. As such, of course this change does not make anything worse, the opposite rather.
Oh, mobile carriers, yeah that is true (well, there’s 5 because US Cellular and Boost have their own towers, and 6 if you count Starlink).
When I hear ISPs I think of traditional residential ISPs. There are a lot more individual fiber operators in the US (at least 9 that are nationwide, and thousands+ on a local level).
how so?