Hello Tails Team and Testers,
Here's an addendum to our report on Tails 4.11~rc1. These additional tests took place on a similar though enlarged setup as before.
We expanded our examination of the Tor Browser and tried it on several Unix-like operating systems probing three internet utility websites.
All versions of the Tor Browser were 64-bit, "en-US" language, and cryptographically verified. We tested:
+ Tor Browser 9.5.4 running on Tails 4.10.
+ Tor Browser 10.0a6 running on Tails 4.11~rc1.
+ Tor Browser 9.5.4 and 10.0a7 running on macOS 10.15.6.
+ Tor Browser 9.5.4, 10.0a6, and 10.0a7 running on Fedora 32 with GNOME desktop environment.
We used these internet utility websites:
+
https://ipleak.net (which gives the most comprehensive results)
+
https://ipleak.com
+
https://aruljohn.com
Note the above websites produce incorrect or partial results if the Tor Browser is set to the "Safest" security level rather than the "Standard" default. This is due to the absence of JavaScript in "Safest" mode.
Best Regards,
Circletop
https://circletop.wordpress.com
==============================================================================================
1. The problem we encountered with Cloudflare demanding captcha requests with greatly increased frequency while testing Tor Browser 10.0a6 running on Tails 4.11~rc1 no longer occurs. None of the websites which were briefly only accessible through a Cloudflare captcha barrier produce a single one anymore.
Since the relevant variables on our end are unchanged, the formerly blocked websites are unrelated, and Cloudflare's Managed Rulesets which "improve a rule's accuracy" and "lower false positives rates" frequently shift, we speculate the issue was caused by Cloudflare rather than the Tor Browser or Tails. If fluctuations in Managed Rulesets weren't the culprit, it's possible one of Cloudflare's other products updated in the interim were. Whatever the case, it would be good if the Tor Browser added or enhanced Cloudflare circumvention.
More information's available here:
"Change log for Managed Rulesets"
https://developers.cloudflare.com/waf/change-log
Cloudflare GitHub:
https://github.com/cloudflare
==============================================================================================
2. When offline using Tails 4.11~rc1 the "Tails documentation" desktop launcher sometimes opens the first page, but none of the internal links work. The "Opening local files leads to infinite refresh loop" bug is present.
==============================================================================================
3. We got inconsistent results checking reported screen size and browser resolution. Tor Browser, Firefox and Safari were tested with default, maximized, fullscreen, and random window sizes.
Using Tor Browser 10.0a6 running on Tails 4.11~rc1 we got new results as varied as 448x500, 599x500, 998x499, 999x199, 999x450, 999x500, and 1198x699. But after that we got another string of results which were all multiples of 100.
However, on ipleak.com every Tor Browser/operating system combination tested except those on macOS often produced a Window Size width ending in 88, and never multiples of 100.
==============================================================================================
4. As intended, the Tor Browser's http user agent shows Firefox running on Windows 10.
However, in the default "Safest" security level sometimes accurate information which contradicts the above about the actual operating system in use is revealed, plus other details. This is primarily but not totally due to the JavaScript Navigator object, and effects every combination of Tor Browser and operating system we tested.
In this situation all three internet utility websites both consistently and correctly report "Linux x86_64" or "MacIntel" as the platform.
Worse, ipleak.com's full report prints even more.
For example, Tor Browser 10.0a6 running on Tails 4.11~rc1 shows:
Detected OS: Linux 3.1-3.10
oscpu: Linux x86_64
appVersion: 5.0 (X11)
userAgent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Tor Browser 10.0a6 running on Fedora 32 shows:
Detected OS: Linux 2.2.x-3.x [generic]
oscpu: Linux x86_64
userAgent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Tor Browser 10.0a7 running on macOS 10.15.6 shows:
oscpu: Intel Mac OS X 10.15
appCodeName: Mozilla
appVersion: 5.0 (Macintosh)
userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
In order to partially mitigate this problem the Tor Browser can be set to the "Safest" security level. But even then some undesirable indications are exposed.
For example, Tor Browser 10.0a6 running on Tails 4.11~rc1 shows:
Detected OS: Linux 2.2.x-3.x [generic]
Tor Browser 10.0a7 running on Fedora 32 shows:
Detected OS: Linux 3.11 and newer
HTTP software: Firefox 10.x or newer (ID OS mismatch)
Therefore it would be good if the Tor Browser would expand its obfuscations beyond the http user agent and into the realm of JavaScript-based and other forms of fingerprinting.
==============================================================================================
5. The Tor Browser 10.0a6 is no longer available here:
https://dist.torproject.org/torbrowser/10.0a6
But is available here:
https://archive.torproject.org/tor-package-archive/torbrowser/10.0a6
==============================================================================================
6. The reason the internet utility website Arul John briefly displays an erroneous screen resolution and browser size of 640x480 before changing to an actual result is due to line 41 in its source code, which reads:
Your resolution is <span id="resolution">640x480</span><br>
As a result this site produces a false report of 640x480 when it's accessed running the Tor Browser using the "Safest" security level.
==============================================================================================
7. Some websites with both a normal and onion ("hidden") service instance use https for the former but not the latter. It would be ideal to use https for both.
For example, the standard Tor Project homepage is:
https://www.torproject.org
But the onion service homepage is:
http://expyuzz4wqqyqhjn.onion
Trying to load the onion service Tor Project homepage with https (
https://expyuzz4wqqyqhjn.onion) prints an "Unable to connect" error.
On the other hand, DuckDuckGo serves both instances of its homepage using https:
https://duckduckgo.com
https://3g2upl4pq6kufc4m.onion