I am currently using a Firefox Add-on which generates a random user agent string from a large list of user agents.
I am trying to protect myself from organisations and governments with a lot of resources.
The reason I done this is that I thought if I used the default UA all the time my browser data would be static. My browser unique id would be persistent through my sessions, assuming they have methods of generating a unique id for each TOR Browser Bundle.
Is this practice safe?
The developers of the Tor Project specifically recommend that you Don't enable or install browser plugins. Unless you're able to dig into the source code of the plugin yourself you'll never know what it's doing underneath.
This particular plugin could do any number of presumably innocent things which could still expose your identity, including:
Tin-foil-hat-zone: It could even be developed by a nefarious agent (government or otherwise) and masked as a "privacy tool" whilst ultimately existing for the purpose of tracking/identifying you. Unless the plugin has been vetted & installed by default by the Tor Project you're trusting your privacy in somebody else's hands.
Somebody else can probably comment further on the specific safety implications of rotating user agents like that, but keeping everything standard in the the Tor Browser helps align your fingerprint with every other Tor Browser. You're probably likely to stand out more by rotating your UA this way. See this question for more on plugin fingerprinting in general.
All Tor browsers has standardized user agent which helps to make Tor users to be less distinguishable from each other. By changing your user agent periodically, you are making yourself more unique from other Tor users with the standardized user agent. They always can group all the visits with abnormal user agents under a "Tor" category (because it's easy to check if a user came from an exit node). Thus giving adversaries an potentially easier time to pin down the identity of a Tor user and the sites that user visits on the internet.
Don't do this. Pick a single User-Agent string and stick to it. You aren't fooling the web sites you visit, and that's what counts here.
After years of running websites, I can tell you that it is trivially easy to spot a user agent which is rotating its User-Agent string. They usually get IP banned because they're almost always malicious.
So not only do you stand out, but you also look to the webmaster like a spambot. Until you load up the images, CSS and possibly JavaScript. Then you just look strange and memorable. Which, I think, is exactly the opposite of what you want.
