From 32c4e5a1dc97ee02e625ead6dbe7a405fc3c16a9 Mon Sep 17 00:00:00 2001 From: Roman-Nopantski Date: Fri, 24 Feb 2017 04:34:52 +1300 Subject: [PATCH] UA Spoofing own section, all inactive --- user.js | 52 +++++++++++++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/user.js b/user.js index 6751fb3..475cd0a 100644 --- a/user.js +++ b/user.js @@ -1166,29 +1166,6 @@ user_pref("network.dns.blockDotOnion", true); // 2626: strip optional user agent token, default is false, included for completeness // https://developer.mozilla.org/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference user_pref("general.useragent.compatMode.firefox", false); -// 2627: Spoof default UA & relevant (navigator) parts (also see 0204 for UA language) - // NOTE: may be better handled by an extension (eg whitelisitng), try not to clash with it - // NOTE: this is NOT a complete solution (feature detection, some navigator objects leak, resource URI etc) - // AIM: match latest TBB settings: Windows, ESR, OS etc - // WARNING: If you do not understand fingerprinting then don't use this section - // test: http://browserspy.dk/browser.php - // http://browserspy.dk/showprop.php (for buildID) - // http://browserspy.dk/useragent.php - // ==start== - // A: navigator.userAgent leaks in JS, setting this also seems to break UA extension whitelisting - // user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"); // (hidden pref) - // B: navigator.buildID (see gecko.buildID in about:config) reveals build time - // down to the second which defeats user agent spoofing and can compromise OS etc - // https://bugzilla.mozilla.org/show_bug.cgi?id=583181 -user_pref("general.buildID.override", "20100101"); // (hidden pref) - // C: navigator.appName -user_pref("general.appname.override", "Netscape"); // (hidden pref) - // D: navigator.appVersion -user_pref("general.appversion.override", "5.0 (Windows)"); // (hidden pref) - // E: navigator.platform leaks in JS -user_pref("general.platform.override", "Win32"); // (hidden pref) - // F: navigator.oscpu -user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref) // 2628: disable UITour backend so there is no chance that a remote page can use it user_pref("browser.uitour.enabled", false); user_pref("browser.uitour.url", ""); @@ -1265,6 +1242,35 @@ user_pref("svg.disabled", true); // CVE-2017-5383: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/ user_pref("network.IDN_show_punycode", true); +/*** 2697: USER AGENT (UA) SPOOFING + Spoofing your UA to *LOWER* entropy *does* *not* *work*. It may even cause site breakage + depending on your values. Even if you spoof, like TBB (Tor Browser Bundle) does, as the + lastest ESR, it still *does* *not* *work*. There are two main reasons for this. + 1. Many of the components that make up your UA can be derived by other means. And when + those values differ, you provide more bits and raise entropy. Examples of leaks include + navigator objects, resource://URIs, locale, feature detection and more. + 2. You are not in a controlled set of signifcant numbers, where the values are enforced + by default. It works for TBB because for TBB, the spoofed values ARE their default. + * We do not recommend UA spoofing yourself, leave it to privacy.resistFingerprinting (see 2699) + * Values below are for example only based on the current ESR/TBB at the time of writing +***/ +// 2697-A: navigator.userAgent leaks in JS + // NOTE: setting this will break any UA spoofing add-on whitelisting + // user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"); // (hidden pref) +// 2697-B: navigator.buildID (see gecko.buildID in about:config) reveals build time + // down to the second which defeats user agent spoofing and can compromise OS etc + // https://bugzilla.mozilla.org/show_bug.cgi?id=583181 + // user_pref("general.buildID.override", "20100101"); // (hidden pref) +// 2697-C: navigator.appName + //user_pref("general.appname.override", "Netscape"); // (hidden pref) +// 2697-D: navigator.appVersion + // user_pref("general.appversion.override", "5.0 (Windows)"); // (hidden pref) +// 2697-E: navigator.platform leaks in JS + // user_pref("general.platform.override", "Win32"); // (hidden pref) +// 2697-F: navigator.oscpu leaks in JS + // user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref) +// 2697-G: also see 0204 for general.useragent.locale + /*** 2698: FIRST PARTY ISOLATION (FPI) ***/ // 2698a: enable first party isolation pref and OriginAttribute (FF51+) // WARNING: breaks lots of cross-domain logins and site funtionality until perfected