I am being told to use Tor when I am using Tor.

Lookup instance using Tor, on a Mac.

No purple bar.
Purple bar.
Not sure if an issue already exists for this, but I do recall chatting w/ @rmol and @zenmonkeykstop about it.
This will really suck for sources. I'd rather not do the purple bar or any "You are not using Tor" kind of dictatorial intercept, if we cannot get it right. A lighter "Hey, are you using Tor?" y/n binary question or an interstitial, could be a better option.
Note that I'm unable to reproduce this on Ubuntu/TBB 9.0.1, so this may be a platform-specific issue.
If it can help here's a few quick checks I made (all using Tor Browser 9.0.2):
(in a Ubuntu VM), as of 6c46568a6d58e26bcd76647c3c1ea7a2a4546871:
Security setting: Standard

Security setting: Safer and Safest (same behavior)

### Windows 10
(in a VM)
Security setting: Standard

Security setting: Safer

Security setting: Safest

Security setting: Standard

Security setting: Safer

Security setting: Safest

In Ubuntu, Dev environment, the "Security settings" warning is displayed at Standard level only.
In Ubuntu, ABC instance (1.1.0), the "Security settings" warning is displayed at Standard and Safer levels.
In Windows 10, ABC instance (1.1.0), the "Recommended to use Tor Browser" warning is displayed at both Standard and Safer levels.
I don't have a Mac to test but from @ninavizz's screenshot, the "Recommended to use Tor Browser" warning is displayed even at Safest level.
Additional note, I noticed the "warning icon" text in the banner when the "Security settings" warning is displayed, both in the Dev VM and on the ABC instance when using Ubuntu. The CBC instance (also 1.1.0) displays the icon properly:

Repro'd on MacOS if browser settings are at Safe and Safer (but not Safest).
See https://github.com/freedomofpress/securedrop/blob/2d066eb4dfe569973418ebe372c3f7f128e91d7c/securedrop/static/js/source.js
The UA regex is not matching correctly, leading to the errant "switch to TB" message being displayed.
Example nonmatching UA: User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
It seems to me that the "Is this Tor or just Firefox" detection code is inherently fragile. There's a strong case for detecting browsers known to support Tor without its built-in security protections (e.g., Brave), but should we narrow the detection logic here to make it more maintainable?
(relevant: #3793 and anywhere else this same checking logic is used)
@rocodes will be doing some research doing the 12/5-12/18 sprint:
We can then discuss more as a team as needed.
privacy.resistFingerprinting) that result in bad UX on some platforms (mobile, macOS), but there is still an attempt to standardize UAS to a few variants. privacy.resistFingerprinting affects whether platform is reported or not on Firefox Here is the rationale This section might not be as relevant because we aren't really mobile-optimized anyway, but it's good to know.
"Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4", but the user agent string also appears to be customizable on Onion Browser, meaning that _if_ people are using OnionBrowser and change the UAS, we can't help em. /Mozilla\/5\.0 \((Windows NT 10\.0|Windows NT 6\.1||X11; Linux x86_64|Macintosh; Intel Mac OS X 10\.13|Windows NT 10\.0; Win64; x64|Windows NT 6\.1; Win64; x64); rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/; which should (?) match all TB8/older and TB9 users, but this needs testing and is getting unwieldy. We could make it simpler if we don't need to match users who are on a non-up-to-date version of Tor Browser.really nice writeup, thanks!
this is what I think makes most sense
hmm yeah that makes sense, do you know how clean selecting by just GMT timezone and window margins are zero is? (i.e. if we remove the UserAgent regex)
That's what we do now (plus the regex), but I have yet to test if that is sufficient. The window margins were always a pretty good hint, but I haven't looked into if letterboxing changes that at all, or if those two indicators alone are sufficient. bit of testing is my next step.
Of interest:
https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html for looking at what kind of information is shared by Tor Browser.
For example, on security slider setting "Safer," my http user agent string is blank (Tor Browser will spoof it to look like Windows/FF), but navigator.userAgent correctly reports when I am on a Mac.
Updated opinion: I think I vote to stop trying to detect Tor browser and display a generic "we hope you're on Tor browser" message.
Rationale: Firefox's resistFingerPrinting incorporates more and more Tor features, and for users who enable it, all of our checks (window size, timezone, canvas, spoofed UAS, etc) will be exactly the same as what would be reported on Tor browser. So at minimum, we'd report incorrectly for Firefox users who have enabled this feature unless we were also checking IP addresses (then we'd have a better chance of being right, but it wouldn't be foolproof). If this ever becomes a default setting, we will be incorrect about all FF users.
If we continue to use UAS as a means of trying to identify Tor, we will have to keep that regex updated as Tor updates, which will lead to brief breakage every time the spoofed UAS is changed. Seems like too much fuss for this feature.
For the short term I will put in a PR to update the regex, which will match updated versions of Tor browser on all platforms (with the above caveat of false positives on Firefox with resistFingerprinting), but long term this is my suggestion.
Other opinions welcome/encouraged though.
👍 to updating the regex for now. Another change (could be done separately) that would be nice is simplification of the regex to remove support for older version of Tor Browser, provided we modify the text slightly replacing "Tor Browser" with "latest Tor Browser" (and double checking that the instructions we link to in the banner are consistent with the update case). We don't actually want people to use old versions of Tor Browser either, so this seems like a win all around.
Regarding a broader change, I would be amenable to a generic message “Ensure you are using the latest version of Tor Browser for your security” or similar. What do you think about a simple message like that @ninavizz? The hazard is that users might be confused - “but am I using Tor browser!” - but if we can find the right wording I think this could be an acceptable tradeoff.
If finding acceptable language there is not possible, then I think we’ll want to preserve _some_ kind of browser detection logic to handle the cases where sources might be using Tor but not Tor Browser. This will happen due to the increasing popularity of e.g. Brave Tor tabs or other browsers that enables access to onion services but do not yet have sufficient leak proofing for a sensitive use case like SecureDrop. See relevant discussion in Brave's community forum about the User-Agent - if they keep the UA Chromium-like and not Firefox-like then we will definitely be able to encourage Brave users to get regular Tor Browser until their tabs are at parity in terms of leakproofing protection with Tor Browser, so that's good news.
If we _do_ continue to preserve the browser detection, regarding the breakage in production:
Regarding a broader change, I would be amenable to a generic message “Ensure you are using the latest version of Tor Browser for your security” or similar
Under what circumstances would that generic message be shown? Always, or only if there is some mismatch? If always, I worry a little bit about message fatigue here.
How about eliminating attempts to detect Tor Browser itself, and focusing only on detecting known methods for accessing .onion services which we do not currently recommend (e.g., Brave, Orfox [already implemented]) _and_ which we can detect with sufficient reliability?
Most helpful comment
TB UAS Relevant Info
> Design Goal: All Tor Browser users MUST provide websites with an identical user agent and HTTP header set for a given request type. We omit the Firefox minor revision, and report a popular Windows platform. If the software is kept up to date, these headers should remain identical across the population even when updated.
privacy.resistFingerprinting) that result in bad UX on some platforms (mobile, macOS), but there is still an attempt to standardize UAS to a few variants.> When [privacy.resistFingerprinting] is on, http header is spoofed according to a 2-tuple (windows on pc, and android on mobile). Entry in javascript navigator object is spoofed according to [a] 4-tuple [...] (android, linux, mac, windows). source
Relevant tickets
privacy.resistFingerprintingaffects whether platform is reported or not on Firefox Here is the rationaleA bit about mobile
This section might not be as relevant because we aren't really mobile-optimized anyway, but it's good to know.
"Mozilla/5.0 (iPhone; CPU iPhone OS 8_4_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H321 Safari/600.1.4", but the user agent string also appears to be customizable on Onion Browser, meaning that _if_ people are using OnionBrowser and change the UAS, we can't help em.Detecting Tor now
/Mozilla\/5\.0 \((Windows NT 10\.0|Windows NT 6\.1||X11; Linux x86_64|Macintosh; Intel Mac OS X 10\.13|Windows NT 10\.0; Win64; x64|Windows NT 6\.1; Win64; x64); rv:[0-9]{2}\.0\) Gecko\/20100101 Firefox\/([0-9]{2})\.0/;which should (?) match all TB8/older and TB9 users, but this needs testing and is getting unwieldy. We could make it simpler if we don't need to match users who are on a non-up-to-date version of Tor Browser.> Torbutton, and the changes in Tor Browser, are designed to make all Tor users blend together, but they're not designed to make every Tor user indistinguishable from all other normal web browsers. So you can probably build a signature based on the differences that the Tor Browser introduces (tells you the time zone is GMT, doesn't answer certain JavaScript queries, doesn't answer certain history requests, etc) to make a pretty good Tor user recognizer.
What next
Levity
https://webaim.org/blog/user-agent-string-history/