Replacing Random Agent Spoofer (RAS)

[ghost]

This could be used as an alternative:
https://github.com/tarampampam/random-user-agent

Although not sure how stable it is. I also read somewhere that the dev is not that active sometimes.
If anyone has any alternative to RAS, please specify here

[alerque]

See #1815 for removal of RAS, #1852 for the PR that does it.

Whether or not we add some extension with this general functionality, RAS needs to go.

Personally I'm not too excited about using random agent strings at all. Do we have a discussion somewhere about what this actually adds relevant to PRISM-Break?

[Zegnat]

Do we have a discussion somewhere about what this actually adds relevant to PRISM-Break?

See #1197 for a discussion on the topic, that’s the issue that introduced RAS in the first place.

Note that RAS did a whole lot more than just change your UA string. I thought this was important at the time, and still think it is important now. Using a UA of a different browser while still exposing APIs unique to the browser you are using can lead to some very unique fingerprints. To actually “replace” RAS there needs to be some sort of feature parity.

[anthologist]

Replacing the user agent shouldn't be done now, and could be counter-productive too. Just enable the "privacy.resistFingerprinting" option in firefox and everybody will be Firefox 52.0 on Windows.

[strugee]

Just enable the "privacy.resistFingerprinting" option in firefox and everybody will be Firefox 52.0 on Windows.

Huh? Not sure what option you're talking about. (I know Mozilla has been working on upstreaming some Tor Browser patches; did that finally make it into some UI stuff? I don't see anything but I'm on an ESR build, soooo...)

[neroux]

@2SI3NX I am one of the contributors for the extension in question and I believe your activity remark refers to one of my comments where I mentioned the original developer has recently slowed down his participation a bit, which is correct however the extension is relatively stable and generally works fine. There are currently two open issues which are related to potential data leakage, but they are not specific solely to that extension but are due to general core browser/platform limitations for now.

[anthologist]

@strugee It's not in the UI, just in the about:config page. I don't remember when it was added, so I don't know if you can see it in the current ESR.

[strugee]

@anthologist gotcha. I'd tend to agree that it's probably not a good idea to muck with the User Agent. Since Firefox dropped legacy extensions I highly doubt there's a way to do this in a way that prevents all the fingerprinting problems we've been talking about.

[ghost]

@neroux thanks and thats good to know as well.

Can anyone say anything about this one: https://github.com/ray-lothian/UserAgent-Switcher ?
Seems like it works well if you choose your string to display.

[strugee]

@2SI3NX it appears it has the same problems we've been discussing.

I'm closing this issue given #1862 (comment).

[ghost]

@anthologist first of all, "privacy.resistFingerprinting" has nothing to do with the User Agent String, other than it changes the "displayed" version for firefox. So im not sure why you are even mentioning the "privacy.resistFingerprinting" option in the first place?
Besides, having the displayed version for Firefox change to 52.0 is kind of pointless if you will be getting constant notifications from certain websites that your browser is too old.

@strugee and to those who oppose a User Agent String for privacy, it actually has more to do than just changing a displayed version for the user browsing.
The purpose of User Agent Random Spoofer or any User Agent "changer" is there to change a lot more options NOT to completely remove fingerprinting(because that is actually impossible from the number of shit mozilla creates to call home), such as showing if you are on Windows, Using Chrome, Using Android, etc. for obvious privacy reasons that a user chooses to change to.
If you want to disable fingerprinting problems that should be a separate addon and a separate issue

So there are no problems with any of these agent spoofers, the only dilemma originally described in here is which Agent Spoofer is better and more up to date these days, because many have been discontinued and many are not always updated.

[strugee]

@2SI3NX the concern here is not that the addon doesn't resist fingerprinting - I get that it works as advertised. The concern is that these types of addons actively add to the fingerprinting problem. Addons for changing the User Agent are dangerous because it's an idea that intuitively seems really good for privacy, but actually is very bad.

PRISM Break has never been about "just" listing projects. That's why we have the quality over quantity rule. I don't see how it's a good idea for us to recommend the most well-maintained way for unsuspecting users to shoot themselves in the foot.

[ghost]

@strugee agreed that it doesn't resist fingerprinting, however why do you say that it adds to the fingerprinting problem if it actually changes most of the fingerprinting by spoofing it? Please specify a few examples of what it does by "adding" fingerprinting rather than "changing" it to spoof for privacy.

[strugee]

@2SI3NX see #1862 (comment), but basically changing the UA doesn't actually prevent you from identifying the browser. That lets you determine that a spoofer is being run. "running <your real browser version> but with an extension spoofing the UA" is a pretty uncommon configuration and will significantly add to the uniqueness of your fingerprint.

[anthologist]

@2SI3NX I don't get your point, in this thread we're talking about an addon that changes your UA and that Firefox option "privacy.resistFingerprinting" DOES change the UA (and other things).

"kind of pointless if you will be getting constant notifications from certain websites that your browser is too old."
This is unrelated to the subject, the user decides what he prefers.