How are some websites able to detect on which OS I am running the Tor Browser?

Question

Tor Browser conceals the user's operating system by spoofing user agents. Currently it is Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0. I decided to test whether the function actually does its job by visiting multiple detection websites on Tor Browser in both Windows and Linux then comparing the results.

1. GIMP Download Page(https://www.gimp.org/downloads/)

   1. Tor Browser on Linux (we think your OS is Linux)

   2. Tor Browser on Windows 11 (we think your OS is Microsoft Windows)

2. https://bowser-js.github.io/bowser-online/

   1. Tor Browser on Linux

      Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
      
      Firefox/102.0
      browser
          name    "Firefox"
          version "102.0"
      os
          name    "Linux"
      platform
          type    "desktop"
      engine
          name    "Gecko"
          version "20100101"
      

   2. Tor Browser on Windows 11

      Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
      
      browser
          name    "Firefox"
          version "102.0"
      os
          name    "Windows"
          version "NT 10.0"
          versionName "10"
      platform
          type    "desktop"
      engine
          name    "Gecko"
          version "20100101"
      

3. https://useragentstring.com

   1. Tor Browser on Linux

      Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
      Firefox 102.0
          Mozilla MozillaProductSlice. Claims to be a Mozilla based user agent, which is only true for Gecko browsers like Firefox and Netscape. For all other user agents it means 'Mozilla-compatible'. In modern browsers, this is only used for historical reasons. It has no real meaning anymore
          5.0 Mozilla version
          Windows NT 10.0     Operating System: Windows 10
          rv:102.0    CVS Branch Tag The version of Gecko being used in the browser
          Gecko   Gecko engine inside
          20100101    Build Date: the date the browser was built
          Firefox Name : Firefox
          102.0   Firefox version
      

   2. Tor Browser on Windows 11

      Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
      Firefox 102.0
          Mozilla MozillaProductSlice. Claims to be a Mozilla based user agent, which is only true for Gecko browsers like Firefox and Netscape. For all other user agents it means 'Mozilla-compatible'. In modern browsers, this is only used for historical reasons. It has no real meaning anymore
          5.0 Mozilla version
          Windows NT 10.0     Operating System: Windows 10
          rv:102.0    CVS Branch Tag The version of Gecko being used in the browser
          Gecko   Gecko engine inside
          20100101    Build Date: the date the browser was built
          Firefox Name : Firefox
          102.0   Firefox version
      

So Tor on Windows was able to hide the fact that Windows 11 was run instead of 10. But the Linux version was unable to hide the fact that Linux was the OS. I ran all tests with no extensions except the built-in NoScript. Also 2-b) shows an additional Win64; x64; that is not present in the user agent. How are websites able to deanonymize your OS? Are there subtle differences in implementation that cannot be covered by user agent spoofing? Is there a way for Tor on Linux to blend in with Tor on Windows?

Answer 1

There are ways to find out the actual operating system.

The easiest is accessing the navigator.platform property, exposed by most browsers.

Why not spoof that? Well, there are reasons, things do break.

For details and more explanations you can check this Tor issue: Fingerprinting: EFF Cover Your Tracks shows actual OS/CPU architecture as platform.

Answer 2

I think the reason Windows appears to work is because you are experiencing a discrepancy between the internal Windows version and that which it claims in the GUI facade.

https://www.reddit.com/r/Windows10/comments/o12qof/windows_11_shows_version_10021996_cmd_and/

This sort of discrepancy has existed since Windows 7, which was 6.1 to Windows Vista's 6.0.

So Tor is just reporting what Windows is telling it, the internal version not the external.

Answer 3

Because the browser told them this.

So Tor on Windows was able to hide the fact that Windows 11 was run instead of 10. But the Linux version was unable to hide the fact that Linux was the OS.

User-agent and other OS identifying methods are mostly wizardry with a lot of historical context, see WebAIM.

How are websites able to deanonymize your OS?

Your browser "outs" your OS to them. Either in user-agent or in Javascript. That is desired behavior, as it is usually not enough identifying information and it is not deanonymizing by itself.

Are there subtle differences in [browser] implementation that cannot be covered by user agent spoofing?

This is a question worthy of a cybersecurity bachelor's thesis. It may very well be possible.

Is there a way for Tor on Linux to blend in with Tor on Windows?

Change the UA and change various JS variables, such as javascript - Change navigator.platform on Chrome, Firefox, or IE to test OS detection code

All in all, you could change all of this. I don't know why you would but you probably can.

Note that OS is not an identifying trait. What are there, 3 of them? Unless you use TempleOS, there are many more people with the same one. For example I used https://coveryourtracks.eff.org to see what is my browser's most identifying trait. It is JS canvas signature. This canvas signature is about 20x more identifying than my OS.