Tor Browser’s Latest Update Could Get You Fingerprinted...
What’s up everyone? So recently, the Tor Project or put it more accurately, a few developers working there, made a decision that was, to say the least. Very. Okay. It caught the attention of a lot of privacy advocates and security professionals and darknet users, criminals, non criminals alike. Ones that I talked to were fairly surprised and some were concerned. To be blunt, the Tor project in the move that it made or these developed was made, gave off the appearance that it abandoned one of its most important privacy protections.
And if you ask well, okay, well, they must have had a reason, right. Like you know. Well, it wasn't because the feature was broken and it was it because it caused some instability or conflicted with something that was absolutely vital. They removed it simply because they wanted to when they could. now this month, with the release of Tor Browser version 14.5, developers permanently removed the operating system spoofing feature.
This feature was designed to try and make every Tor user look identical in the Http headers, which is a foundational part of the Tor privacy model in general. And now it's gone. So how did this actually happen? Well, historically, the Tor browser spoofed your operating system in the Http headers, so everyone looked like they were on windows, regardless of whether they were on Mac OS or when Linux or anything else.
And this was absolutely intentional. It made you part of the crowd. It made you have camouflage.
It reduced the identifiable traits and ensured that users blended in together in the uniformity of a crowd. So now you might be thinking, you know, well, it's just one setting, right? Like, you know, how could that really matter at all? And the answer is it does matter. And I think it matters a lot. And maybe, you know, maybe that's not the case, but this is my opinion. So think about trying to identify a single person out of the entire world, Like, if all you know is that there is human being. That's one out of 8 billion.
But then I tell you, say, for example, the target is a man, so you instantly cut that pool in half, right? Now, let's say he lives in the United States. So now you're down to like 165 million or something. He lives in New Mexico, and that brings it to like, 1 million.
And you know, then we say, okay, he's in his 50s, and now he's one of like 130,000. He has one biological child, 32,000 master's degree or higher, roughly 6500. He works in education. 500 is a secondary source of income, maybe 150.
And finally, you know, if he recently made a major life change following a health issue, you're down to roughly a dozen people or so. And that's the power of metadata. It's no joke, which is why it it's a serious thing and it's taken seriously. Just, you know, eight vague details, narrowed down 8 billion people to 12.
That's a 99.99999. You know, you get it, reduction. On average, each attribute reduced the pool by 84.2%. So if you want another perspective, imagine the distance from the Earth to the sun represents the global population right.
So it's 93 million miles total that distance. Then the final group of candidates would occupy just point zero inches of that. That's, you know, the thickness of a credit card. So when we talk about reducing entropy and the Tor browser, we're talking about eliminating tiny clues that can be used to identify which is valid. That's important. And OS spoofing used to be one of those shields.
The change didn't happen immediately or all at once. It was kind of a gradual thing, was definitely intentional, and it was backed by rationalizations. I mean, I don't agree with let's see if you do. You know, so back in October of 2020 for the Tor browser, 14.0 was actually released, developed by Thornton, opened the issue 43170 stating Privacy resist fingerprinting spoofed in user agent header should be false in Tor Browser 14 plus, the original intent of 42,647 was that we turn off spoofing OS and ESR changes are the perfect time to do it.
despite suggestions that users should have the option to keep this feature, which is an issue that some other developer raised who said ”The The intent was to let an opt in for users. Thorton explicitly shut down that idea when he said, First, we are meant to discourage users from changing settings in about config, and a non advertised pref is not going to do it, especially as opt in to turn it off. Might as well do nothing. It didn't stop there. He continued out. Second, this is a compatibility issue with real world consequences and no entropy changes in safer standard. So it's a no brainer.
Third, by adding a switch, you are allowing entropy to increase, which is antithetical to the mission. Fourth, this has been baked into Mullvad browser for six months or more. Fifth, and finally, the only question remaining was if we wanted to do anything in safest mode i.e. revert to spoofing the OS. But in my opinion, it's not worth it. In safest mode, the amount of entropy is already reduced by 95%.
No JavaScript. So I mean you can see like this it this is a deliberate design shift, you know, driven by the belief that user control introduces too much variability, essentially, which the developers framed as a threat to consistency. So discouraging users from changing, you know, about config preferences due to it.
You know it's non advertised status. In no way is that like some kind of security argument. But but I would say it's an authoritarian one. Like one that I could definitely hear Microsoft making. The spoofing feature didn't introduce fingerprinting risk.
Instead it mitigated it in large part, and it created uniformity among Http headers when JavaScript was actually disabled, which keep in mind, is a critical condition in things like high threat environments and something that essentially anyone who knows anything does when they actually use Tor. Removing the feature definitely doesn't win anything. It exposes users, and the problem was in that the setting created entropy, it was that some developers, you know, decided entropy control itself should no longer be available to users. And I'm sorry, man, it's just not a simplification.
In effect, the project moved from safeguarding edge case in anonymity to enforcing a lowest common denominator. kind of experience. That just happens to be easier to test. Like their logic effectively says that because spoofing can't fool everything, it shouldn't fool anything.
And I'm sorry, I mean, I just for one, I disagree with that. That's not threat modeling, you know, at all. In fact, to me, it sounds a lot like defeatism in disguise.
Disguised as engineering. And in April of 2025, with the release of Tor Browser 14.5, developer Morgan submitted issue 43189, which removed the entire OS spoofing code base, where he said With 43,170. We are no longer spoofing user agents in any of our browsers. We can therefore remove the relevant machinery from Firefox altogether. Now, even experienced users were stripped of the option to be able to decide what they want to do.
There was absolutely no opt in, no fallback or kind of edge case support, which is, again, something that they're kind of known for. So this was done despite warnings from more security conscious contributors. Like this one. Before merge. I think we should consider keeping that preference to allow user to opt in or make it default in safest mode to defend passive fingerprinting. My concern is passive fingerprinting in case of server seizure. The server logs can reveal more information about the user to the adversary.
now they said that there was a mismatch between JavaScript and ECB headers. And instead of fixing the issue or trying to fix the issue, the JavaScript detection or, you know, maintaining spoofing where JavaScript is disabled, they just killed the whole thing. And that still works like they claimed the entropy impact was negligible. Where Peter had said 1 million.
Total users 600,000. Windows 200,000. Linux 200,000. Mac OS 1.37. Bits of entropy. It isn't much at all. But that doesn't make sense because it assumes that all users are part of the some the simple kind of split, right? 60% windows, 20% Linux, 20% Mac OS.
And that gives you three groups, which means roughly 1.58 bits of entropy or entities estimated 1.37 bits. But this is the actual issue. That number only works if you're actually in one of those three groups.
If you're not, like, for example, if you're using something uncommon like Qubes open BSD, you're not part of the average, you're part of an outliner. And those liners, those are the things that are easy to spot. So if only point 1% of Tor users are in Qubes, for example, then spotting someone using Qubes gives you almost ten bits of entropy. That means you're more unique.
That means you're more distinguishable, right, and far easier to track across things like sessions or services. And that's a really big fingerprint to have. So when Pier says, you know, it isn't all that much, he's only talking about the most generic of users. If you're running a hardened OS specifically to avoid being profiled, This change just made you stick out like a flare. You could talk, you know, And this is exactly backwards from how privacy tools should actually work. The users who are doing things right, like disabling JavaScript, running your systems, reducing browser, you know, surface attack area are now actually punished with more exposure because someone else decided they wanted simplicity.
You know, they also tried to invoke Https where they said It's useful only when using a proxy for Firefox or Mullvad browser doesn't make sense. As an actor that eavesdrops clear text Http requests will likely see TCP as well, and will be likely able to detect your OS anyway. However, Https didn't prevent server side logs from capturing user agent strings. If a hidden service is seized or surveilled, OS data in those logs becomes a target vector like the you know, the fact that the passive TCP OS fingerprinting exist doesn't justify voluntarily exposing, you know, the operating system in headers.
And Tor browser already warns users before they access the about config, like the devs chose to remove compatibility because some users might misuse it. Mind you, if you know some people did misuse it, they would be the ones who actually paying the ultimate price, not some random developer that you know, volunteers or gets paid for the joint project. I have no idea, by the way, which one it is. I really don't care.
At the end of the day, I care about the decisions that are made, with stuff like this. Now, they also claim spoofing causes occasional, say, breakage. But instead of isolating those breakages or letting users toggle behavior, they just stripped it out. And yes, more of that browser is also affected too.
we get to the question of like what does this actually mean for the users? if you're running JavaScript then which shouldn't be, but your operating system is now being revealed in two separate ways. First, do your Http headers. And second, through what JavaScript APIs can detect about your environment. Now these two data points now match up, and this means your browser sends a consistent fingerprint that can be used to track your access. You know, across all these different websites. Even if you are using Tor.
For example, the navigator user agent string in JavaScript might say You're on Linux and now the Http header will also confirm that. Whereas before that the header would say that you were in windows and no matter what OS you were actually using, you would say that that mismatch used to act as noise, if you will, basically like a intentional distortion to confuse fingerprinting scripts. But now that both vectors line up, the fingerprint becomes more precise.
And any say or surveillance system that sees both gets a stronger signal about who you actually are. So in technical terms, this removes an important layer of obfuscation, fingerprinting is basically about correlation. Like you know the example that we gave before.
The more unique identifiers, the better for your adversary is they're like abilities to figure out who you actually are. And, you know, if the server sees that you're using Linux specific fonts and now knows those details are, you know, stable from one side to the next, you become easier to recognize and track, as it were, even if you're behind Tor. So these traits accumulate just like our, you know, unique identifiers that we looked at initially and make you stand out. And that's the core of the issue. Every removed layer of spoofing sharpens your adversaries tools.
And if you're using, the safest mode with JavaScript disabled. Good job. First off, but your browser should be leaking the least amount of data possible in that case.
And that used to be the entire point of that mode, right? Disabling JavaScript removes a ton of attack surface, but it makes it so that there's things like no canvas fingerprinting, no hardware enumeration, no JavaScript level OS detection. In that state, the Http header was one of the only remaining ways your browser could act, you know, accidentally identify you. Previously, operating system spoofing covered this and made sure that even in the safest mode, your user agent header always said windows, regardless of what system you were actually using. And this meant users on Linux, Qubes or BSD didn't stand out from the rest of the crowd. that fallback is gone, the Tor browser no longer spoofs the OS in the user agent string at all.
So when you disable JavaScript and think you're covered, you're actually not. The OS fingerprint leaks through your headers, Any seized hidden service can use those logs to help narrow down who was actually connecting to it. So, for example, if you were one of the .1 of users on Qubes OS like me and think you're using, you know, safest mode, and you know, you're anonymous, the HTTP headers alone out you to some degree.
it doesn't matter that your screen resolution is hidden or that your, you know, JavaScript fingerprint is blank. You're operating system is already enough to make you stand out. And that used to be covered. It isn't anymore. And pretending that, you know, safest mode still protects against stuff like passive fingerprinting is now just security theater by these developers.
So if you use a rare operating system, you're fairly uniquely exposed. So let me get to mitigation options. So like, you know, all this exists and it sucks. But like what can we do about it. And the answer to that is going to be to use Tails OS or Whonix. Right.
Like if you want stay on, you know Tor browser 14.0 and re-enable spoofing manually via the about config. Disable JavaScript to use hardened browsers through Tor routing with, you know, custom anti fingerprint setups. Now let's not pretend that these are good options, right? The feature removal definitely was not a bug fix or a necessary trade off in any way. It was a, you know, a nonsensical thing that was done.
Developers made it clear that they don't trust you with the tools that you depend on. Now, you know, you might be thinking, hold on a minute, Sam, like you just said that, you know, if I use a rare operating system like Qubes or BSD, I'm uniquely exposed. But then you told us to use tails or Whonix, which are also new systems.
Isn't that the same problem? That would be a great question, but the key difference is that Tails and Whonix aren’t just rare operating systems, they are privacy hardened systems designed to isolate your base operating system from your identity and your network traffic. Right. Like they were purpose built for anonymity.
And you know, when used correctly, they act as great buffers shielding your actual host machine and environment from being exposed at all. Now Tails runs entirely from Ram. So you know it doesn't touch your disk. It doesn't, you know, store logs. It's amnesiac. It routes everything through Tor by default.
And who looks threaded to it goes even further. Of course, it doesn't matter if you have malware on your system. If you have windows and you running Whonix malware, you're going to screw anyways. But it's a kind of a different thing going into another time.
But with Whonix, it goes even further because they compartmentalize your activity into two VM's, one to handle Tor routing and one for everything else. So even if the browser does leak, like you know that it's running on Linux, let's say that doesn't necessarily expose anything about your actual real system or environment. Now, contrast that with Qube's arch or open BSD with those while those are really great, security operating systems, they don't necessarily isolate your browser as well. If Tor browser leaks that say you're running on Qubes, and you're one of those, you know, only Qubes users on Tor, then you're exposed because that fingerprint, which is your wear OS, leads directly back to you. And the problem at that point is in just running a rare OS, the problem is running a rare OS in a way that allows it to be fingerprinted by the browser.
If you're using Whonix or tails, that fingerprinting is contained within an isolated system. But if you're using a general purpose operating system directly and Tor browser leaks it, that's where the risk spikes. So if you care about privacy, then update your threat model accordingly. Because there's some lone Wolf devs maintaining the Tor browser, you know, clearly Don't share the same threat model that you do. Also, let them know to social media. I for one would love to see this feature back.
Atticus, thank you for watching. I'll see you in the next video.
2025-04-26 18:03
