Tor Browser 14.0a4 is now available from the Tor Browser download page and also from our distribution directory.
This version includes important security updates to Firefox.
We would like to thank the folowing community members for their contributions this release:
If you would like to contribute, our contributor guide can be found here.
Historically, Tor Browser has spoofed the browser user agent found in HTTP headers, while not spoofing the user agent returned by the Navigator.userAgent
property in JavaScript. The logic behind the HTTP header spoofing was to prevent passive tracking of users' operating system by websites (when using the 'Safest' security level) and by malicious exit nodes (or their upstream routers) passively listening in on unencrypted HTTP traffic. We left the JavaScript query intact for the purposes of website compatibility and usability. We also left it enabled because there are already many ways of detecting a user's real operating system when JavaScript is enabled (e.g. via font enumeration).
With Tor Browser 14.0a4, we have introduced the boolean preference privacy.resistFingerprinting.spoofOsInUserAgentHeader
. When this pref is set to true
(which is currently the default), Tor Browser will follow the previously described legacy behaviour. However, if you set this preference (accessible in about:config) to false
, Tor Browser will never spoof the user agent and will report your operating system family (i.e. Windows, macOS, Linux, or Android) when requested. We are considering changing Tor Browser to make this the new default behaviour.
So, why are we considering making this change? Basically, asymetrically spoofing the user agent causes website breakage seemingly due to bot-detection scripts. And (in our analysis) it also provides only a negligible amount of benefit to the user in terms of additional linkability (i.e. cross-site tracking, fingerprinting) protections, and only then when JavaScript is disabled. Tor Browser's default HTTPS-Only mode (and much of the web having moved to HTTPS) has also significantly reduced the utility of passively sniffing HTTP traffic for user agents as well.
We would be very curious to hear from users and domain experts as to whether user agent spoofing is providing any other privacy benefits. In the meantime, disabling spoofing is available to users on an opt-in basis. For more information and to join the conversation, please see the Gitlab ticket tor-browser#42467.
We have sufficiently reduced our APKs for x86 and x86_64 releases on Google Play. However, this is at the expense of the conjure pluggable-transport and the (currently unused on Android) GeoIP database. Long-term we will need to find additional savings for feature-complete releases for these platforms.
We have 127 remaining upstream Bugzilla issues to review and potentially develop patches for.
This work can be tracked in this Gitlab query.
If you find a bug or have a suggestion for how we could improve this release, please let us know.
The full changelog since Tor Browser 14.0a3 is:
privacy.spoof_english
still works once we have Android builds