search

allo- / ffprofile

A tool to create firefox profiles with personalized defaults.
GNU Affero General Public License v3.0
785 stars 56 forks source link

Navigator Spoofer Addon for changing the user agent #162

Open allo- opened 5 years ago

allo- commented 5 years ago

https://addons.mozilla.org/en-US/firefox/addon/navigator-spoofer/ The general.useragent.override setting does not change the window.navigator properties like window.navigator.oscpu. This addon can change them as well.

martin-braun commented 2 years ago

The link is dead, but the issue is real. Another problem is that a fixed User-Agent will open you to fingerprinting, as it appears you are one of the rare who doesn't update his/her browser.

This profile maker really needs an UA extension on-board that takes care of window.navigator and auto-updates on new browser versions.

allo- commented 2 years ago

Indeed. And I am not sure if there is a point in spoofing a completely different Browser. A fingerprinting script could probably correlate a Firefox property with, for example, an Edge Useragent and that makes you unique when you try to fake Edge.

On the other hand, some less advanced scripts that try to run tailored attacks will target the wrong browser.

I think the best solution is the preventFingerprinting setting, that always uses the latest ESR useragent string. The full setting breaks a lot of things, but I think it (now) has sub-settings to only use certain features. I need to find the documentation for which settings can be set without raising the security (and site breaking) to the tor-browser level.

martin-braun commented 2 years ago

As I remember resistFingerprinting is problematic for third party logins, it is not? I agree that spoofing the browser has only minimal benefits, since Firefox has still good market share. It is a good logical first step to provide a way to always use the ESR UA. If it is possible to use resistFingerprinting while still having OAuth 2.0 functioning, that would be very good.

allo- commented 2 years ago

resistFingerprinting raises a lot of red flags for different bot detection systems, because it does its job.

But it has some sub-settings like privacy.resistFingerprinting.letterboxing [true / false] (which is exposed in about:config) and I think there are some that need to be created first. Maybe there are settings to just enable UA-Spoofing?