Historically, Tor Browser has spoofed the browser user agent found in HTTP headers, while not spoofing the user agent returned by the
Navigator.userAgentproperty in JavaScript. The logic behind the HTTP header spoofing was to prevent passive tracking of users’ operating system by websites […] So, why are we considering making this change? Basically, asymetrically spoofing the user agent causes website breakage seemingly due to bot-detection scripts. And (in our analysis) it also provides only a negligible amount of benefit to the user in terms of additional linkability (i.e. cross-site tracking, fingerprinting) protections, and only then when JavaScript is disabled. Tor Browser’s default HTTPS-Only mode (and much of the web having moved to HTTPS) has also significantly reduced the utility of passively sniffing HTTP traffic for user agents as well.
strange that user agent spoofing triggers bot detection scripts. how do they know when we’re spoofing?
They know, because user agent is not the only way to determine the OS with JavaScript.
So if you look at the user agent and JavaScript, and see a mismatch OS, you can infer the user is lying and use those parameters to block them.
It’s probably not too different unless you block javascript, anti fingerprinting wise.
Tor devs previously said they didn’t do it because of usability concerns on macOS. Browser Fingerprinting: An Introduction and the Challenges Ahead | The Tor Project
I think that the total number of tor network users are 2 million. This includes people using tor browser and orbot, onion browser, etc. The number of Tor users on each desktop platform is probably in the few hundreds of thousands or less. I hope this is enough of a crowd