I want to use the Tor Browser on NixOS. Does using the package provided by Nixpkgs influence the fingerprint in any way compared to the official tar archive of Tor Browser?
How does this apply to other packages as well such as Brave, Mullvad Browser, Librewolf, or self-hosted services where there is no official support from the upstream developers?
Yes, this is a risk. If you’re concerned about this risk, use the -bin version of these packages if they’re available.
On the contrary, I’d be more wary of the official packages (those ending with -bin). These are typically pre-built binaries redistributed unnmodified (minus some wrapping and ELF patching) in Nixpkgs.
This means the software has not been configured by a NixOS manintainer and sometimes come with telemetry and other nasty stuff. Maybe tor would be an exception, but for most software I have more trust in the maintainer than the developer.
I personally had issues in the past where the nixpkgs librewolf package was not written correctly and none of the librewolf patches were correctly applied. It’s really a choice between having only upstream bugs versus having upstream bugs and nixpkgs maintainer bugs. For most packages, the latter is is okay, but for something like a privacy-preserving browser, this is unacceptable.
I use the -bin version instead now.
For non-privacy-related services, yes, use the built-from-source package from nixpkgs.
Eh, a combination of this and which upstream you trust more. I definitely think using unadulterated tor is a good idea, as that upstream takes it really seriously, but with the other browsers it’s less clear-cut.
As far as that specifically goes, depends on the browser. Firefox and .*chrom.* (including brave) will just send your user agent string including the OS you use, and include build details. You’re not getting significantly more privacy regardless of whether you use the -bin package or not; at best, the non-bin packages are probably better because they’ll turn off telemetry, so there’s at least one fewer company tracking your every move.
Some of the more explicitly privacy-focused (not just the ones advertising it, the ones where you pay a usability price) alternatives (e.g. librewolf) will take measures against this. Assuming no bugs, the -bin and nixpkgs packages should be mostly the same, but bugs do happen both upstream and downstream.
Tbh short of using tor everywhere you should probably never expect perfect privacy while browsing. Even browsers like librewolf leave behind significantly distinct fingerprints thanks to the wonders of JS (yes, despite best efforts in canvas blocking) and browsing habits. Hell, even disabling JS can often be a significant trace.
Ok, well Tor Browser and Mullvad Browser don’t have any -bin packages. They are built from source. Considering the very modal of these browsers is to combat fingerprinting, this is a concern for me.
This is something I never expected nor do I even use Tor everywhere. It is for very specific cases. However, I think it is extremely important to to have the ability to use to official binaries easily for such use cases. Currently, it is very difficult to as it has to be ran through nix-ld.
tor-browser and mullvad-browser in nixpkgs are not built from source.
$ nix eval -f. tor-browser.meta.sourceProvenance
[ { isSource = false; shortName = “binaryNativeCode”; } ]
I think ultimately, if you wanted to hide from fingerprinting, a generic Debian VM with a 1920x1080 “screen” that never touches your network outside a VPN is the safer option. NixOS is just too particular, and I could easily imagine binaries or config could leak tracks of being built in the sandbox (not necessarily for tor, but the other you mentioned, like librewolf or Mullvad specially).
But honestly, if you’re hiding your fingerprint, it might be time for https://tails.net/ on a different laptop. And I guess we’re not as obscure of a distro anymore, so maybe the risk that an adversary realizes you were on NixOS is less severe than it used to be.
Current Tor Browser & Mullvad Browser Nixpkgs maintainer here.
The tor-browser & mullvad-browser Nix packages are small wrappers around the officially distributed binaries and should have little to no effect on the fingerprint.
I’m not an expert on fingerprinting in Tor/Mullvad Browser, however, fingerprints differ across different environments incl. platforms & operating systems. You can find some interesting details about this here:
Concerns about fingerprinting (and general laziness) have kept me from attempting to build these packages from source. However if I or someone else would attempt it in the future, tools like TZP can be used to compare many fingerprinting metrics between those versions to avoid deviations.