Can I detect Tor Browser inside the browser itself, via Javascript I suppose?
I'd like to disable some features of a web app I'm building, if the browser is Tor Browser. Can I inside the browser itself (client side, not server side) find out if the browser is Tor Browser?
I would prefer a solution that didn't issue any HTTP requests to match the browser's IP against Tor exit nodes.
Background: In my case, Tor Browser pops up a dialog that asks the user "Should Tor Browser allow this website to extract HTML5 canvas image data?", because, says Tor Browser, canvas image data can be used to uniquely identify a browser.
Update: After reading the answers below: Perhaps the best solution in my case, is to keep a list of Tor exit nodes server side (an up-to-date list, refreshed periodically), and when a browser loads the page, I set a variable in a <script> tag, if the browser's IP matches such an exit node: var isProbablyTorBrowser = true. Then, client side, no additional requests, or complicated logic, is needed.
Answer
The Tor browser is not designed to be undetectable (that's impossible to do). Rather, it is designed so that all copies are indistinguishable from each other: you cannot track a browser from one site to another, or from one visit to another, strictly through browser fingerprinting.
This gives it a distinct fingerprint of its own. As of right now, a browser that
- Has a User-Agent of
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 - Has a screen resolution that matches the browser window size (particularly if that size is 1000x800)
- Has a time zone of "0" (GMT)
- Has no plugins (
navigator.pluginsis empty)
is probably the TBB browser. The User-Agent string may change when the next ESR version of Firefox comes out, most likely to Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/38.0.
The screen resolution/browser window match alone may uniquely identify TBB: even in fullscreen mode, there's a one-pixel difference between window height and screen height in Firefox.