The browser should not have it's own unique user agent

[brian6932]

The browser has it's own unique user agent, you can see that by going to https://ifconfig.me/all The problem with this is that:

1. It leaves a unique fingerprint
2. It breaks sites like Google that do agent tailoring

[Alex313031]

@brian6932 Yeah, this is because of https://github.com/Alex313031/Mercury/blob/main/mozconfig-win#LL60C3-L60C3 which was done as an experimental thing. I will probably comment that line out for next release, so from server's point of view it will appear as just regular firefox.

[jobbautista9]

I'd prefer to have Mercury use its own UA if it's going to be a real fork. Nobody does tracking by UA. Besides if you're really concerned about fingerprinting (despite being overblown and exaggerated by the tech press) you just need to make your fingerprint unique (one of the methods is by poisoning the canvas with random enough data) every time you visit a site, and in such a way that the site cannot easily determine that your connection is illegitimate. That will render tracking by fingerprints useless as the bad actor is forced to keep all of your bogus fingerprints. I also suggest enabling Global Privacy Control (privacy.globalprivacycontrol.enabled in about:config) which unlike Do Not Track is legally backed and will obligate websites not to share or sell your data even if they've tracked you. Of course it won't prevent tracking (that's kinda the point, and this is why DNT failed: it was too broad unlike GPC which specifically tackles the processing of data), which is why it's just a suggestion. But if you're just concerned about them sharing your data to others, then GPC is good enough. As always, analyze your threat model and don't blindly follow whatever a "privacy article" tells you to do.

As for webcompat due to UA sniffing, general.useragent.compatMode.firefox should be enabled by default as I said in #14. It will add a Firefox/{version} string to the useragent, which should satisfy those looking for Firefox specifically.

[brian6932]

Nobody does tracking by UA.

@jobbautista9 this is completely incorrect, basically no browser forks use unique UAs, because not only does it break your anonymity, it also breaks compatibility with many sites that use the info to tailor to engines, this is an incredibly common practice.

While general.useragent.compatMode.firefox does partially fix compatibility issues, it just doesn't make sense to do this in the first place, as no one does it.

[jobbautista9]

basically no browser forks use unique UAs

I can name several: All UXP browsers (so Pale Moon, Basilisk, Iceweasel-UXP, etc.), SeaMonkey, and even suckless Surf (which uses WebKit) provides its own UA.

because not only does it break your anonymity

Proof? A bad actor cannot pinpoint one's identity by sniffing UA alone.

it also breaks compatibility with many sites that use the info to tailor to engines, this is an incredibly common practice.

So add a Firefox/{version} string to your default UA! UA sniffing may be a common practice to determine whether to support a browser, but it's bad practice anyway; websites should use feature detection for that, and fail gracefully. But we don't live in an ideal world so we have to add the Firefox string for those who refuse to make a trivial change to their browser detection code.

Btw not providing a unique UA means that there would be no way (AFAIK) for sites like StatCounter to determine how many users use the browser; so @Alex313031 might want to take that into consideration.

But otherwise, if the dev doesn't plan to deviate significantly from Firefox and is fine with no accurate way of determining user count, I'm completely okay with just using Firefox's UA. That's why I said this from the very beginning:

I'd prefer to have Mercury use its own UA if it's going to be a real fork.

[brian6932]

I can name several: All UXP browsers (so Pale Moon, Basilisk, Iceweasel-UXP, etc.), SeaMonkey, and even suckless Surf (which uses WebKit) provides its own UA.

No one actually uses these browsers, except a very select few people, and those few people will end up changing their agent, this is not good UX.

Proof? A bad actor cannot pinpoint one's identity by sniffing UA alone.

Considering you're using a browser with less than 81 stars, and lets say 1/4-1/2 of the users actually use it regularly, that makes you as unique as 20-40 people in the world. That's pretty easy to spot, that most definitely by the definition of the word de-anonymizes you, you can grasp at straws all you like, but these type of things are the exact opposite of what you'd want as a default in a browser that has privacy as a tag.

[jobbautista9]

No one actually uses these browsers, except a very select few people, and those few people will end up changing their agent, this is not good UX.

So you're telling me that Microsoft is wrong for having Edge provide its own UA? It's basically a fork of Chrome now and it is used by many users. And by your logic Edge should identify only as Chrome.

Different browsers should have different user-agents. That's what user-agents were made for.

Considering you're using a browser with less than 81 stars, and lets say 1/4-1/2 of the users actually use it regularly, that makes you as unique as 20-40 people in the world. That's pretty easy to spot, that most definitely by the definition of the word de-anonymizes you, you can grasp at straws all you like, but these type of things are the exact opposite of what you'd want as a default in a browser that has privacy as a tag.

This is all practically irrelevant for the following reason: you only need to present unique fingerprint every time to make fingerprint tracking useless. You don't have to tackle every single part (including the UA) of a fingerprint to protect yourself.

Perhaps this explanation by @wolfbeast from a forum post would be much easier to understand for you:

When you are not providing trackers with any indication whether the browser's data is legitimate or not, they have no choice but to consider your identification unique - this is exceedingly effective in both bloating tracking databases with bogus data and decoupling one session from the next. Being uniquely identified is a good thing, if you are a different kind of unique every time. Poisoning the overall browser fingerprint with just a few well-placed bits of fake data will effectively invalidate the entire fingerprint. Contrary to what you may believe it is therefore not at all necessary to counter any and all fingerprinting parameters, and it doesn't matter whether other fingerprinting variables still provide uniqueness or not.

[brian6932]

So you're telling me that Microsoft is wrong for having Edge provide its own UA? It's basically a fork of Chrome now and it is used by many users. And by your logic Edge should identify only as Chrome.

Edge is used by millions of people, if you're asking me whether or not they should've done that, I will always say no, they shouldn't have. Edge is an absolutely horrific example of user privacy, they literally send a hardware UUID of your device to Microsoft when you use it.

You don't have to tackle every single part (including the UA) of a fingerprint to protect yourself.

This is just not true, you're pulling this out of your ass, citing Pale Moon, an outdated browser with many security vulnerabilities as a source is quite a terrible example as well. The post does not point out anything on UA at all, you are connecting two things that are very different.

[wolfbeast]

This is just not true, you're pulling this out of your ass, citing Pale Moon, an outdated browser with many security vulnerabilities as a source is quite a terrible example as well.

I suggest you inform yourself properly before you echo disinformation to the world. An "outdated" browser does not have a most-recently-updated date of mid April this year. Security bugs are audited each cycle and addressed. But if you know of an exploitable security vulnerability then I'm of course very interested in learning about it.

The post does not point out anything on UA at all, you are connecting two things that are very different.

which part of the overall fingerprint is discussed is irrelevant for the simple reason that trackers and profilers by their very nature want an as accurate as possible fingerprint meaning it will include both unrelated factors (and plenty more). making the overall whole differently-unique is the effective countermeasure. Maybe re-read the quoted explanation :)

[leomeinel]

I don't really want to make the discussion even more heated than it already is, but using Edge as en example for privacy is very misleading and dishonest! Having a unique user agent doesn't give the server you're connecting to a copy of your government ID, but it definetly gives you a unique fingerprint which can then be tracked. This should be pretty logical because the less people use a user agent, the more obvious it becomes when that user agent gets tracked. Just saying that this doesn't happen in practice without any proof is also a very bad argument in my opinion. If you can prove it, do so. But websites that do fingerprinting don't have a reason not to do it on UAs.

I don't really want this to escalate, because it already kind of has but @brian6932 is in my opinion correct in submitting this issue!

EDIT

And as far as I understand, Mercury doesn't send a unique UA every time a new connection is made.

This issue is about not having one unique UA that gets sent every time, which lets websites track that UA and instead using the default Firefox UA or something similar, which is quite common for forks of Firefox as far as I know.

[Alex313031]

@wolfbeast @brian6932 @leomeinel @jobbautista9 Mercury will have a custom user agent with both mercury and firefox in the name, for compatibility.

[Alex313031]

@wolfbeast @brian6932 @leomeinel @jobbautista9 Fixed! See latest release > https://github.com/Alex313031/Mercury/releases/tag/v.115.0.0

[brian6932]

115 absolutely doesn't solve either of these issues (I did test it), either the custom UA should be disabled by default, or there should be some toggle in about:config and/or about:preferences that sets it to not append it, as opposed to setting a manual UA. Imho, it really shouldn't be enabled by default, and anyone who claims otherwise in this issue, or anywhere else, really show a lack of experience in mitigating fingerprinting. There are many many many integrity and fingerprint checkers that check your UA, with Cloudflare being a large example, they use a combination of your UA and TLS fingerprint (JA3). It's a bit hard to sound non-dismissive here, but some of the positions stated in this thread are absolutely absurd and display little to zero understanding of the inner workings of the modern web.

[surapunoyousei]

It sounds like you've already fixed it, but rather than changing the configuration, I suggest you write MOZ_APP_UA_NAME=Firefox

[entrider]

either the custom UA should be disabled by default, or there should be some toggle

Why though? There is absolutely no reason to use a custom UA in the first place.

[brian6932]

I agree @entrider

[entrider]

JFI, if you enable privacy.resistFingerprinting, it sets UA back to normal: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0

[brian6932]

That's nice and all, but RFP breaks a lot of stuff, it shouldn't be the way to opt out of this