W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: [perpass] HTTP user-agent fingerprinting

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Fri, 13 Sep 2013 20:51:30 +0000
To: "Roy T. Fielding" <fielding@gbiv.com>
cc: Patrick Pelletier <code@funwithsoftware.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, ietf-http-wg@w3.org, perpass@ietf.org
Message-ID: <5907.1379105490@critter.freebsd.dk>
In message <826E49BC-8F03-43DA-9B19-62F5C999B5C1@gbiv.com>, "Roy T. Fielding" w
rites:

>One could argue a lot of things, but disabling the often-used
>and very useful User-Agent string [...]

How about making it intelligently usable instead ?

Right now everybody wastes bandwidth claiming to be "Mozilla/5.0"
with "Mozilla/4.0" being a distant second:

	root@phk:/usr/local/www/logs # grep -c Mozilla/4.0 thttpd.log
	44445
	root@phk:/usr/local/www/logs # grep -c Mozilla/5.0 thttpd.log
	369977
	root@phk:/usr/local/www/logs # wc -l thttpd.log
	  520850 thttpd.log

with the result that those 12 bytes (incl the next SP) is just
a total waste of bandwidth.

HTTP/2.0 would be a great chance to stop this race to the bottom
where everybody sticks everything they can think of into User-Agent
in the hope that the dudes in the other end are incompetent enough
to actually cater for broken browsers.

If nothing else, putting a hard 32 byte limit on the string would
be a BIG improvement, since that would force people to transmit
only the necessary and useful information.


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 13 September 2013 20:51:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC