Re: [perpass] HTTP user-agent fingerprinting

Patrick Pelletier [2013-09-13T15:18]:
> encourage browsers not to send User-Agent at all.

It will not happen. This simple decision would break most of the Web. (Unfortunately). My daily work is to fight against bad user agent detection. It's so deep rooted in the Web infrastructure that even simplifying it takes a lot of energy.

Today I was going through the stats of a very high traffic web sites that shared with me the list of all unique UA strings they collected on 1 week. 

cat access-ua-log-7days.txt | wc -l
386 844

Yes… each of these are different. Some of them are just the usual one, such as 
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0"
with million of occurences

From looking at the file I have, there are things which can be improved though, some nasty things are done with some of the UA strings. With two areas worse than others:

* IE products such as 3rd party toolbars modifying the UA with a unique ID per user.
* some Mobile products with unique ID (most of the time put by Operators)

The spec could forbid it, but I guess it would be more a question of legal matter. Operators are sometimes using these unique ID for services.

btw it's not only User-Agent, there are secondary things such as 

X-Original-User-Agent
X-Device-User-Agent
Device-Stock-UA
X-OperaMini-Phone-UA


-- 
Karl Dubost
http://www.la-grange.net/karl/

Received on Friday, 13 September 2013 20:50:03 UTC