Tor browser got rid of the user-agent proofing in HTTP header.
Video by Sam Bent - YouTube
I’m not super technical on how fingerprinting solutions work for certain browsers and I don’t use Tor. However, I’m aware that many users on this forum do. I’m curious to know what you think the impact of removing this feature will be?
I don’t know who Sam Bent is, some of his concerns seem reasonable, but it appears he has a somewhat limited understanding of the topic he is discussing and is misunderstanding some fundamentals aspects.
I’d encourage you to read the thread that @GorujoCY linked to, but I’ll highlight a few relevant comments from that thread here, since I know not everyone will click through:
I see why he is getting worried, but he’s missing what the change actually is. Before, js and http headers were reporting different user agents, now they are reporting the same, with the OS taken from a list of 4 possible values (the part he’s missing). So all the QubeOS, OpenBSD and exotic distro getting trivially fingerprinting, that’s not actually right. All Windows are W10, all Android are Android 10, all MacOS are OS X 10.15, and everything else (including BSD) is a Linux running X11.
YouTubers not understanding browser fingerprinting (among many, many other things) is a scourge in the privacy space. Thorin is perhaps the expert when it comes to browser fingerprinting, and Bent doesn’t even know his name in this video.
Around 6:34 Bent’s claim that Tor developers wanting to encourage consistency is “in no way […] some kind of security argument” is beyond ridiculous, when consistency is the entire point of the Tor Browser. Giving “experienced users” (8:42) the option to decide what they want to do in this situation would place them in significant danger because their spoofing would ensure their browser is no longer aligned with anyone else’s.
The operating system is essentially always detectable in Tor Browser. Even with JS disabled, you can detect it through CSS, it’s impossible to solve unless you completely break websites in the process. If this guy had his way then there would be “experienced users” on Linux spoofing their user agent to look like Windows, meaning that malicious website operators could narrow down on them as the only people in the Tor ecosystem on Linux (because again, it’s detectable!) with a Windows user agent.
Anyways, I will +1 @fdb_hiroshima’s response above. This change does not meaningfully impact fingerprinting in Tor Browser, don’t let random internet creators tell you otherwise.
Regarding the well-meaning, but inaccurate claims in the video, we’re offering this clarification on how user agent protection works in Tor Browser. To support informed discussion, here’s what actually changed, and what hasn’t changed.
We are still protecting user agents: Tor Browser has always limited user agents to general categories: Windows, macOS, Linux, or Android in JavaScript, and Windows or Android in HTTP Headers. That means we spoof the OS version and architecture, which was always the approach in JavaScript–now it’s consistent in HTTP headers too.
Any OS info shown in the user agent does not expose any new information that wasn’t already present with JavaScript. With JavaScript disabled, entropy is already greatly reduced (self-information: e.g. the thousands of JavaScript derived metrics) and even without this change, passive methods have always existed to determine the platform. In fact, asymmetric user agent spoofing triggered anti-fraud and bot-detection scripts breaking websites without added privacy benefits.
Proposals for this change were introduced in September 2024 with the Tor Browser 14.0a4 release, calling on the Tor community to provide feedback. We received very little feedback and implemented the change.
Tor Browser still offers one of the strongest privacy and anonymity protections for web browsing.
I don’t agree with this conclusion and don’t get why anyone would, tbh. First, tracking methods these days are more advanced than leveraging basic http headers - on the contrary, spoofing http headers contradicting all other fingerprinting results might get you even more flagged. Also, if you use tor, https only should be in enforce mode as your default - http header spoofing doesn’t do much in this case anyway. I don’t know why Sam Bent (?) makes such a thing out of it to be honest
(edit: fixed typo)