-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replacing Random Agent Spoofer (RAS) #1862
Comments
See #1815 for removal of RAS, #1852 for the PR that does it. Whether or not we add some extension with this general functionality, RAS needs to go. Personally I'm not too excited about using random agent strings at all. Do we have a discussion somewhere about what this actually adds relevant to PRISM-Break? |
See #1197 for a discussion on the topic, that’s the issue that introduced RAS in the first place. Note that RAS did a whole lot more than just change your UA string. I thought this was important at the time, and still think it is important now. Using a UA of a different browser while still exposing APIs unique to the browser you are using can lead to some very unique fingerprints. To actually “replace” RAS there needs to be some sort of feature parity. |
Replacing the user agent shouldn't be done now, and could be counter-productive too. Just enable the "privacy.resistFingerprinting" option in firefox and everybody will be Firefox 52.0 on Windows. |
Huh? Not sure what option you're talking about. (I know Mozilla has been working on upstreaming some Tor Browser patches; did that finally make it into some UI stuff? I don't see anything but I'm on an ESR build, soooo...) |
@2SI3NX I am one of the contributors for the extension in question and I believe your activity remark refers to one of my comments where I mentioned the original developer has recently slowed down his participation a bit, which is correct however the extension is relatively stable and generally works fine. There are currently two open issues which are related to potential data leakage, but they are not specific solely to that extension but are due to general core browser/platform limitations for now. |
@strugee It's not in the UI, just in the about:config page. I don't remember when it was added, so I don't know if you can see it in the current ESR. |
@anthologist gotcha. I'd tend to agree that it's probably not a good idea to muck with the User Agent. Since Firefox dropped legacy extensions I highly doubt there's a way to do this in a way that prevents all the fingerprinting problems we've been talking about. |
@neroux thanks and thats good to know as well. Can anyone say anything about this one: https://github.com/ray-lothian/UserAgent-Switcher ? |
@2SI3NX it appears it has the same problems we've been discussing. I'm closing this issue given #1862 (comment). |
@anthologist first of all, "privacy.resistFingerprinting" has nothing to do with the User Agent String, other than it changes the "displayed" version for firefox. So im not sure why you are even mentioning the "privacy.resistFingerprinting" option in the first place? @strugee and to those who oppose a User Agent String for privacy, it actually has more to do than just changing a displayed version for the user browsing. So there are no problems with any of these agent spoofers, the only dilemma originally described in here is which Agent Spoofer is better and more up to date these days, because many have been discontinued and many are not always updated. |
@2SI3NX the concern here is not that the addon doesn't resist fingerprinting - I get that it works as advertised. The concern is that these types of addons actively add to the fingerprinting problem. Addons for changing the User Agent are dangerous because it's an idea that intuitively seems really good for privacy, but actually is very bad. PRISM Break has never been about "just" listing projects. That's why we have the quality over quantity rule. I don't see how it's a good idea for us to recommend the most well-maintained way for unsuspecting users to shoot themselves in the foot. |
@strugee agreed that it doesn't resist fingerprinting, however why do you say that it adds to the fingerprinting problem if it actually changes most of the fingerprinting by spoofing it? Please specify a few examples of what it does by "adding" fingerprinting rather than "changing" it to spoof for privacy. |
@2SI3NX see #1862 (comment), but basically changing the UA doesn't actually prevent you from identifying the browser. That lets you determine that a spoofer is being run. "running <your real browser version> but with an extension spoofing the UA" is a pretty uncommon configuration and will significantly add to the uniqueness of your fingerprint. |
@2SI3NX I don't get your point, in this thread we're talking about an addon that changes your UA and that Firefox option "privacy.resistFingerprinting" DOES change the UA (and other things). "kind of pointless if you will be getting constant notifications from certain websites that your browser is too old." |
This could be used as an alternative:
https://github.com/tarampampam/random-user-agent
Although not sure how stable it is. I also read somewhere that the dev is not that active sometimes.
If anyone has any alternative to RAS, please specify here
The text was updated successfully, but these errors were encountered: