Tor had a thin layer of user-agent spoofing: it would always claim to be Windows (I presume) in the User-Agent header. But the real user-agent (which is still spoofed, but platform-specifically) was easily accessible from Javascript without even fingerprinting, since they never spoofed the navigator.userAgent variable in the same way. It could also be detected from other fingerprints such as TLS.
They removed the header-only user-agent spoofing so that the User-Agent header now reports the same value as navigator.userAgent, which is one of three distinct values based on your OS type. The rationale is simple: having these different didn't work. It was a failure. It didn't hide any information. And it tripped fingerprint checks on some websites. So they stopped doing that.
Certain people are trying to make this into a huge uproar for some reason. As far as I'm concerned, it's a coordinated disinformation campaign to discourage the use of Tor. The developers probably get spammed about this particular change a lot, because of the disinformation campaign, which explains the hostile response.
Nowhere on Tor's blogs or social media posts mentioned any of these changes, and why. The 'debunking' is required because of media silence, and people online finding out about this.
Nor were there any developer statements about this change. From an outsider (user) perspective, this smells like a coverup or an insider threat ala XZ situation.
And for software that people sometimes rely on safeguarding their lives with, well, yeah, addressing these significant changes in the open is how you avoid due scrutiny. And I think scrutinizing the lack of communication is a rather damning problem, especially here.
The real crime to me is tor browser not spoofing navigator.platform. Regardless of the user agent, if this variable can be used to find something that doesn't say Windows, then I think that already greatly hurts your fingerprint as the number of non-Windows installs pales in comparison.
Tor had a thin layer of user-agent spoofing: it would always claim to be Windows (I presume) in the User-Agent header. But the real user-agent (which is still spoofed, but platform-specifically) was easily accessible from Javascript without even fingerprinting, since they never spoofed the navigator.userAgent variable in the same way. It could also be detected from other fingerprints such as TLS.
They removed the header-only user-agent spoofing so that the User-Agent header now reports the same value as navigator.userAgent, which is one of three distinct values based on your OS type. The rationale is simple: having these different didn't work. It was a failure. It didn't hide any information. And it tripped fingerprint checks on some websites. So they stopped doing that.
Certain people are trying to make this into a huge uproar for some reason. As far as I'm concerned, it's a coordinated disinformation campaign to discourage the use of Tor. The developers probably get spammed about this particular change a lot, because of the disinformation campaign, which explains the hostile response.