uMatrix 0.9.3.6 user-agent leak

[kaliostro2]

Just accidentally discovered the leak a real user-agent for which spoofing is responsible uMatrix.

In order to reproduce the leak it is necessary:

1: Go to https://mega.nz
2: Open about:config in new tab and change dom.storage.enabled to false
3: Go back to the tab with https://mega.nz and you will see a window with an error and your real user-agent.

• Windows 10 Enterprise x64 / Firefox 53 / uMatrix 0.9.3.6 (from MOA)
• I use 20 different user-agents from https://techblog.willshouse.com/2012/01/03/most-common-user-agents/
• Spoofing is always enabled and browserleaks.com shows that substitution occurred.
• Other addons do not affect the problem in any way. I tried the clean version of Firefox 53 on Windows 10 and Firefox 45 ESR on Debian Jessie 8.7.1. Installed only uMatrix from MOA. The result is the same. I even tried uMatrix 0.9.9b12 from MOA.

[gorhill]

Unable to reproduce. Your report lacks information and detailed step-to-reproduce, so I went with my own steps:

• Using Linux, Firefox Nightly, uMatrix 1.0.0.
• Added Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0 to the list of user agent strings in the Privacy panel, commented out all other strings.
• Set dom.storage.enabled to false in about:config.
• Opened https://mega.nz/ in a new tab.
• Ensured that the switch "User agent spoofing" is enabled for that site.

Result, the site thinks I am using Firefox 45 on Windows:

I will reopen if you make a better case that there is an issue. You failed to:

• provide OS/Browser/uMatrix version
• provide which user agent strings you are using for spoofing
• provide assurance that you actually verified that spoofing is enabled
• provide other information as to whether other extensions/browser settings may be interfering
• provide detailed steps to reproduce

[kaliostro2]

Please. Reopened. I described in more detail. For me, this issue is a heartbleeding.

[gorhill]

Somebody else will have to investigate -- I can't investigate if I can't reproduce.

I suggest you use another user agent spoofing extension meanwhile.

[gorhill]

Ok, I reproduce on FF53. Strangely, I can't reproduce on Nightly.

[gorhill]

The site's Content Security Policy does not allow inline script tags, this means uMatrix inline script tag to spoof window.navigator is not allowed to execute.

Unexpectedly, uMatrix's inline script works with Nightly. It's unclear whether this is by design or not, maybe Nightly allows inline script injected by extensions? (would make sense since they are trusted by the user).

[kaliostro2]

I confirm. Firefox 55 does not have this issue. Firefox 54 and below are affected.

[gorhill]

I have a fix, but it's best called a "mitigation", it will work for this site, but there is no guarantee it will work for some other sites where there is a similar issue. It will work for this site because I created a fallback to data: URI to inject the script.

But in the end, the reality is that I am seriously considering removing UA spoofing, it gives a false impression of accomplishing somethign useful. Turns out countering fingerprinting has become quite an undertaking, and partially spoofing some navigator entries does not accomplish much -- I rather remove this clumsy feature borne out of experimental code years ago before I understood fully all that was at stake.

See for yourself using dev console, inspect window.navigator for whichever site for which the UA spoofer seems to work. You will see other entries in there not touched by uMatrix and which contradict entries touched by uMatrix.

In the end, UA spoofing and all other anti-fingerprinting mechanisms are best left to a specialized extension, and that will require a lot of work, this does not belong to a network request firewall like uMatrix.

[kaliostro2]

No.Please. Don`t remove UA Spoofing. I have not seen a good addon which could be given this job.

[gorhill]

No.Please. Don`t remove UA Spoofing.

It does not really prevent finding out which browser/OS you are using -- I rather remove it than mislead users into thinking the opposite. At the very least, the feature needs to be somewhere else than in the Privacy pane in the dashboard.

[kaliostro2]

:(

[kaliostro2]

Tested all the add-ons specializing in UA Spoofing. They all have the above problem. I ask you to reconsider your decision and find a proper solution to the problem. I certainly understand that your main direction is uBlock Origin but still. Please forgive me for persistence.

[gorhill]

The fix is in v1.0.1b0 on AMO dev channel.

[gorhill]

@Atavic Here is about user agent spoofing, what you linked to is about referrer spoofing. Can you open a new issue for this, with a reference to the blog post arguing why stripping out is better?

[Atavic]

@gorhill Sure.

[Thorin-Oakenpants]

I'm sure you are aware, that privacy.resistFingerprinting, as part of the Tor Uplift Project, will (hopefully) spoof UA (more thoroughly). That ticket, will also hopefully close a few navigator and other holes. This is to lower entropy, and will only work in large numbers (and FF's base with that pref can do that) - the idea is to spoof as the latest ESR as per TBB does (i.e not claiming to be chrome or something silly).

Ref:
https://bugzilla.mozilla.org/show_bug.cgi?id=1333651
https://bugzilla.mozilla.org/show_bug.cgi?id=1333933

I wholeheartedly endorse that you drop the whole UA part for all the reasons you said. An earlier issue I raised (2 years ago?) was that JS did not match headers (fixed at the time by using UA JS Fixer or something add-on). Another issue raised by someone else was the real navigator values being leaked over iframes. The list goes on. There are so many "holes" and methods that add bits and raise entropy. I fully agree that this is left to a specialized extension and/or the Tor Uplift.

Just my 2cents :)

[SamHasler]

partially spoofing some navigator entries does not accomplish much ...

See for yourself using dev console, inspect window.navigator for whichever site for which the UA spoofer seems to work. You will see other entries in there not touched by uMatrix and which contradict entries touched by uMatrix.

This is likely giving additional information with which to fingerprint users. i.e. if they see different UA for different requests they could assume µMatrix is installed.

[Atavic]

This is a common problem for every extension that tries to change the user-agent from inside the browser.