17:04:18 <morganava> #startmeeting Applications Team Office Hours 2025-07-16
17:04:18 <MeetBot> Meeting started Wed Jul 16 17:04:18 2025 UTC. The chair is morganava. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:04:18 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
17:04:22 <morganava> I didn't forget :3
17:04:49 <Jeremy_Rand_Lab19[mds]> So how does the structure of these new meetings compare what what I'm used to?
17:04:50 <morganava> but yes hello, we'll leave this room open for ~15 minutes in case community people would like to sync on anything o/
17:05:05 <Jeremy_Rand_Lab19[mds]> s/what what/to what/
17:05:19 <morganava> Jeremy_Rand_Lab19[mds]: basically this is a scheduled meeting time for community members to interact w/ apps team
17:05:30 <Jeremy_Rand_Lab19[mds]> alright
17:05:35 <PieroV> I also have a small update, since we're here :)
17:05:43 <PieroV> I'm done with audits and related stuff!
17:06:02 <Jeremy_Rand_Lab19[mds]> well I do have something I'd like to bring up, do I just jump in as soon as there's a break in the discussion?
17:06:05 <morganava> irc meetings weren't really working for us so we've migrated away from it but still want a touch point with volunteers and waht-not
17:06:13 <morganava> Jeremy_Rand_Lab19[mds]: yeah exactly :)
17:06:20 <morganava> nice job PieroV!
17:06:20 <Jeremy_Rand_Lab19[mds]> alright
17:06:32 * Jeremy_Rand_Lab19[mds] will wait for PieroV 's victory lap before I jump in though
17:06:49 <PieroV> So I moved to clear MR reviews and ~Next. Please let me know (not necessarily here) if I'm missing anything requiring my attention, since next week I'm AFK
17:07:01 <PieroV> I'm done :)
17:07:12 <Jeremy_Rand_Lab19[mds]> OK so
17:07:17 <morganava> PieroV: i'm going to review the final 140 rebase after I go through my email backlog this evening, is the range-diff command in that issue correct still?
17:07:21 <morganava> sup Jeremy :3
17:07:31 <Jeremy_Rand_Lab19[mds]> Regarding the changes to OS spoofing that caused some, uh, drama in the community
17:07:52 <Jeremy_Rand_Lab19[mds]> As best I can tell, all the public messaging about why this change is OK, emphasizes that you can already tell the OS via JS
17:08:05 <Jeremy_Rand_Lab19[mds]> Which is all fine and good for Standard and Safer
17:08:16 <Jeremy_Rand_Lab19[mds]> But in Safest mode, where JS is a thing, that messaging seems inapplicable
17:08:31 <PieroV> Jeremy_Rand_Lab19[mds]: there are CSS poc
17:08:38 <Jeremy_Rand_Lab19[mds]> Maybe there's some other way to fingerprint the OS without JS (fonts perhaps?)
17:08:44 <PieroV> Yes, due to fonts
17:08:46 <Jeremy_Rand_Lab19[mds]> But this is not being conveyed in the public messaging AFAICT
17:09:03 <Jeremy_Rand_Lab19[mds]> And it'd be nice if this were conveyed in the official Tor Project statements about why this change is OK
17:09:07 <morganava> community is 're going to be updating the FAQ+manual with this relevant info so we have something to point to when FUD people rear their heads
17:09:15 <PieroV> We don't know how much reliable those methods are at the moment
17:09:20 <Jeremy_Rand_Lab19[mds]> Because right now if people ask me about it, I don't know what official statement to point people to
17:09:35 <PieroV> Anyway, security level never meant to be about privacy
17:09:36 <Jeremy_Rand_Lab19[mds]> Relatedly
17:09:49 <Jeremy_Rand_Lab19[mds]> The UX issues that necessitated the change
17:09:54 <dan_b> i was testing this to show a friend with a random tool: https://tooldigi.com/operating-system-detector/
17:09:56 <morganava> PieroV: one could imagine some font-metrics dependent layout-based CSS query triggering remote loads versus not
17:10:02 <Jeremy_Rand_Lab19[mds]> Were any of those UX issues happening when JS was disabled anyway?
17:10:14 <dan_b> even with TB on safest, JS very disabled, and the user agent switched to say Windows, it still clocked me as linux
17:10:18 <PieroV> The threat model of Tor Browser is that security level should be used for mitigating exploits
17:10:35 <dan_b> so its, out there, and working and being sold
17:10:38 <PieroV> Of course without JS, most of the fingerprinting vectors are also disabled
17:10:55 <morganava> Jeremy_Rand_Lab19[mds]: of course, imagine a website which gives you alternate download pages off of the perceived OS (it's not *good* UX yet websites do this)
17:11:44 <Jeremy_Rand_Lab19[mds]> Like, I figured that the reason this change was made was that the HTTP header OS spoofing was causing bot detection to get tripped. Do any of these bot detection mechanisms get tripped when JS is off?
17:12:01 <dan_b> Jeremy_Rand_Lab19[mds]: I believe also antibot detection services are employing this and when TB users reported one OS, but a different one was detected, they'd get flagged as a bot and have a "bad time"
17:12:15 <PieroV> Jeremy_Rand_Lab19[mds]: I don't think so
17:12:47 <PieroV> Also, changing that pref is unsupported
17:12:47 <dan_b> if it is CDN based I could def imagine some are tho?
17:12:55 <PieroV> If you're okay to stay in unsupported land, you can install any extension
17:13:01 <PieroV> And spoof your UA to whatever you like
17:13:20 <dan_b> like when cloudflare redirects you to a captch page first? if it also flagged you as bot you might either get more redirects or stopped from access even with JS off?
17:13:40 <Jeremy_Rand_Lab19[mds]> anyway, FWIW I think it would be useful to carefully evaluate whether the change really makes sense in Safest mode, but regardless of whether it's the right decision or not, the results of that evaluation should probably be conveyed to users when they ask about this change
17:15:00 <Jeremy_Rand_Lab19[mds]> It definitely seemed to me that the most egregious UX issues that were fixed by the change, and the most egregious fingerprinting issues that made the change a noop from a privacy standpoint, were only really a thing when JS was on
17:15:14 <morganava> Jeremy_Rand_Lab19[mds]: we're going to be updating the manual in the coming weeks
17:15:22 <Jeremy_Rand_Lab19[mds]> alright great
17:15:48 <morganava> and also again, you don't need user-agent or JS to detect OS, so there's literally no reason to lie about it
17:16:09 <Jeremy_Rand_Lab19[mds]> morganava: due to font-related exploits?
17:16:57 <morganava> for examlpe: font metrics combined with CSS media query-dependent fetches
17:16:58 <PieroV> Jeremy_Rand_Lab19[mds]: we got a H1 report
17:17:04 <PieroV> I don't know if it's still confidential
17:17:21 <PieroV> But tl;dr: yes, fonts.
17:17:39 <Jeremy_Rand_Lab19[mds]> PieroV: ah ok. Yeah that makes sense.
17:17:45 <PieroV> Also, we plan to allow local font faces one we think font vis is good also for Tor Browser
17:17:58 <Jeremy_Rand_Lab19[mds]> makes sense
17:18:15 <PieroV> (there was a hiccup for which we have to go back on that, sorry, I don't know if I can give more details about it, too)
17:18:49 <Jeremy_Rand_Lab19[mds]> Um, no offense, and I know everyone at Tor is very busy, but I think the drama in the community would have been a lot smaller if the docs had been updated with this kind of info �before� the change got picked up in Stable
17:19:26 <morganava> i mean unlikely, the guy creating all the FUD seems to have some kind of vendetta given that he's still going on about it after we've already explained
17:19:56 <morganava> fortunately other parts of the community have stepped up (e.g. the privacyguides people)
17:19:59 <morganava> but yeah
17:20:05 <morganava> an all around shitty and annoying situation
17:20:07 <Jeremy_Rand_Lab19[mds]> morganava: my concern isn't the guy making the YouTube videos, it's the people who watch the YouTube videos and look for a response from Tor Project and can't find an explanation for the questions I just described
17:21:06 <morganava> i'm not sure i agree entirely, this info was in a blog post when we first released
17:21:10 <Jeremy_Rand_Lab19[mds]> (Yes I have experience with bad-faith attacks, we get those in Namecoin from time to time, I know the people making up the claims are a lost cause)
17:21:22 <PieroV> We answered one of the video
17:21:22 <Jeremy_Rand_Lab19[mds]> morganava: was the font-related stuff in a blogpost?
17:21:30 <Jeremy_Rand_Lab19[mds]> I didn't see it but I may have missed it?
17:21:43 <PieroV> Jeremy_Rand_Lab19[mds]: I don't think we explicitly mentioned
17:21:49 <PieroV> It was in some newsletter
17:22:10 <morganava> it's way easier and cheaper to spread lies than it is correct, at some point just not giving these people the attention they want is beter than flamming the flames
17:22:14 <morganava> flanning*
17:22:15 <morganava> fanning*
17:22:35 <Jeremy_Rand_Lab19[mds]> PieroV: ok yeah, that's basically what I'm raising a concern about. The JS attacks were well documented in your blogpost, but the non-JS attacks weren't well documented AFAICT, and even I had to ask you guys on IRC to understand it
17:22:48 <morganava> but yeah, there was a whole response around it when it first came up and now he's bag at it vOv
17:22:53 <dan_b> flan is pretty gelatinous, not the worst thing to fight a fire with perhaps
17:23:14 <Jeremy_Rand_Lab19[mds]> morganava: yeah there's a common saying in the blockchain space: "bullshit is an inverse-PoW function"
17:23:20 <morganava> YUP
17:24:13 <morganava> anyway go spread the gospel to anyone who's actually willing to listen and understand
17:24:19 <morganava> and ignore the haters vOv
17:24:40 <Jeremy_Rand_Lab19[mds]> anyway that's all I wanted to say about the stupid drama. Other than that topic, I've been away at conferences for a while, so not much else is going on here. Attendees at MoneroKon and GCER were excited about SocksTrace though; the GCER attendees were also excited about the onion TLS stuff and Occlumask.
17:24:53 <morganava> oooh exciting
17:25:15 <Jeremy_Rand_Lab19[mds]> (The GCER attendees were probably most excited about Occlumask, which isn't surprising given the focus of the conference -- there are a lot of AI enthusiasts there)
17:25:42 <Jeremy_Rand_Lab19[mds]> But yeah I'm finally back from conferenceland, no more conferences for me until 39C3 in December
17:25:53 <PieroV> Jeremy_Rand_Lab19[mds]: the fact is that the PoC we have is still confidential ^_^ But here you are, once we can publish it https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42377
17:26:07 <Jeremy_Rand_Lab19[mds]> There should be videos of my talks at both conferences published in the next few weeks
17:26:48 <Jeremy_Rand_Lab19[mds]> PieroV: ah cool, thanks for the link
17:27:22 <Jeremy_Rand_Lab19[mds]> That's all I wanted to bring up today, so if anyone else is lurking in the channel and wants to say stuff, now it is your time to shine :)
17:28:55 <morganava> PieroV: missed in the fingerprintnig convo, is the range-diff command in the 128 -> 140 rebase issue up-to date?
17:29:59 <PieroV> I don't remember, but I'm pretty sure I included a range-diff command in the HTML'ified one
17:30:05 <morganava> ah perfect
17:30:21 <morganava> alright if nobody else wants to pipe up, i'll end this meeting
17:30:32 <morganava> 👀
17:30:54 <PieroV> Ihave a final thing
17:31:02 <PieroV> I'd go ahead and rebase onto 140.1.0esr tomorrow
17:31:11 <PieroV> I don't think 15.0a1 is going out before 14.5.5
17:31:49 <morganava> ack makes sense
17:32:18 <morganava> alright folks
17:32:25 <morganava> have a good rest of your day o/
17:32:28 <morganava> #endmeeting