W3C home > Mailing lists > Public > w3c-wai-ig@w3.org > January to March 2003

Re: please respond to original poster:Fw: user-agent header

From: David Woolley <david@djwhome.demon.co.uk>
Date: Mon, 17 Mar 2003 21:49:50 +0000 (GMT)
Message-Id: <200303172149.h2HLnoj12964@djwhome.demon.co.uk>
To: fairall@NS.SHELLWORLD.NET
Cc: w3c-wai-ig@w3.org

> Could someone give me the user-agent header for Internet Explorer 6? Bank
> of America claims that lynx doesn't support SSL encryption which I know is

This is a common question on the Lynx list, although I haven't seen
it recently.  However, there is another issue here in that forging
a User Agent in order to access a banking system could be considered
fraud, and will almost certainly put the user at risk of bearing the
full cost of any fraud by third parties.  In particular, it needs to be
noted that earlier versions of Lynx SSL don't authenticate the web site,
making them vulnerable to man in the middle attacks.

Faking may also violate trademarks and/or copyrights and does result in
Lynx being under-recorded as as source of web accesses.

Typically people do not fake the exact Internet Explorer string, but
include additional information to indicate that they are using Lynx.
In fact, this is what Internet Explorer does; it send its identity
as Mozilla, and then, only as a comment, sends its true identity.
Browser sniffing code no longer honours HTTP and uses the comment as
part of the match!

My guess is that, given the Internet Explorer precedent, you might
avoid a fraud accusation in this case, but you are probably still
have no defence if someone obtains your user ID and password and makes
unauthorised transactions.

By the way, was the claim made by a second line support person, as front
line support people probably have little idea what Lynx is?

I am not a lawyer; this is not legal advice.
Received on Monday, 17 March 2003 17:16:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 July 2011 18:14:08 GMT