First time I have seen this, no wonder I come across in-the-wild comments claiming as such
https://tb-manual.torproject.org/anti-fingerprinting/ > Tor Browser + Anti-fingerpriting
besides the spelling mistake (missing n in Anti-fingerpriting
)
Tor Browser is specifically engineered to have a identical fingerprint across its users. No matter what device or operating system the user is on, the browser fingerprint should be the same as any device running Tor Browser. This means each Tor Browser user looks like many other Tor Browser users, making it difficult to track any individual user.
This is nonsense, sorry. Some things can't be hidden/blocked/spoofed and are what we call equivalency. Such as OS. Another is language(s) - i.e we have to provide a web request language and no point in everyone requesting e.g. english if they can only read arabic. And so on. Additionally some things cannot be patched/hidden (yet, if ever, such as architecture).
So the reality is: we aim to limit how many "buckets" are possible per metric - e.g.
- we do not lie but return real values (because they have to be used as is, can't lie about them), but limit them: e.g.
- limiting/bundling fonts -> font enumeration, character fallback
- new window sizes and letterboxing -> screen/windows sizes
- web-content requested languages: hardcoded to a small set: one of each maximum: i.e one english (en-US), not en-CA, en-GB etc
- we lie/spoof - e.g.
- always return 2 for hardwareConcurrency
- randomize canvas
- we pre-empt user actions: e.g.
- always reject permissions - WiP
- we disable the API
- we could also block known FP scripts but this is a form of enumerating badness
The key goal of Anti-FP protections is to protect the real value (doesn't matter how it does it). And we do this metric by metric, reducing the possible buckets, making it harder and harder for scripts to extract entropy (the spread of users across buckets), until it becomes too costly or performance-heavy to be practical.
It is impossible to make all TB users look identical, and this was never the aim
cc @richard