Why can my operating system be detected with Mullvad/Tor Browser?

Continuing the discussion from Librewolf Browser (Firefox Fork):

Just to add that Google’s finger printing can discern what OS I am using when logging into gmail with mullvad(linux ofc) whereas they cannot with librewolf.

What? Mullvad Browser makes everyone look the same, it doesn’t matter what websites see.

There are only like, 3 operating systems people regularly use. It isn’t a fingerprintable metric.

It isn’t really possible to hide your operating system. You can have a uniform user agent like Librewolf has, but there are still many other ways for a website to detect your operating system, including via means the browser can never control. At the same time, hiding your OS in the user agent string will cause breakage in many websites, like websites that use keyboard shortcuts for example. This is a case of Librewolf not providing real protection, but making the browsing experience worse to check some boxes in generic fingerprinting tests.

Tor/Mullvad Browser does not make everybody look exactly the same,^[1] they make everybody fall into one of a small number of distinct buckets.

Anyway, long story short, all this means that not all Tor Browser users look the same - this is a phallacy. Tor Browser users instead should fit into as small a number of buckets overall as possible. The goal would be to get down to as little as e.g. 4 x OSes times 36 languages that we support times a dozen window startup sizes x 1 timezone x 1 version etc …

The question is “how many overall buckets of users are there?” - and the answer is no-one knows, because to get that we would need a large real-world study of one test per profile/browser. This would give us a general idea of how many buckets and the spread of users. The spread matters, because not all buckets are equal - someone using english on windows 11 is going to be more prevalent than someone using tibetan on linux, for example.

But what we do know is that we have made it extremely hard for a Tor Browser user to stick out. With advanced scripts, the bigger the crowd, the better the protection.

So yes, in effect there are probably hundreds of buckets a Tor user could fall into. This is obviously significantly better than the millions of completely unique buckets virtually every user of browsers other than TB/MB will fall into.

1. we often say this when comparing TB/MB to other browsers that don’t make any effort at all to create “buckets” of users, but it is an oversimplification ↩︎

If you use Tor Browser on a different language than English (US), then it offers you to change to English (US) to blend in better. I think everyone should do it if they understand English. Especially if you’re from a small country.

I think that this is less likely Google discerning anything by fingerprinting, and more likely relates different browsers advertising themselves differently (via user-agent header):

User Agents (Linux VM):

It’s interesting that Tor Browser chose to show a UA that indicates WIndows, and Mullvad chose to diverge from that. I wonder why? I have the impression that UA spoofing (of the OS) isn’t really effective as there are other ways to discern it, but I could be wrong.

Is this a Freudian Fallacy?

This was changed in last month’s release of Mullvad Browser 13.5, for the reason I explained above. Also more info here.

Tor will likely make the same change in Tor Browser 14.0, according to their issue tracker. Remember that Mullvad Browser tests changes like this before Tor Browser gets them.

Also note that in Tor Browser, navigator.userAgent in JavaScript already does share your operating system with the website, even though the request HTTP header doesn’t (yet):

2024-07-18 at 14.03.353024×2194 410 KB

You can test by running alert(window.navigator.userAgent); in the JS console on macOS or Linux as shown above.