From: Kevin Carhart <kevin@carhart.net>
To: edbrowse-dev@lists.the-brannons.com
Subject: [Edbrowse-dev] user agent spoofing
Date: Wed, 26 Aug 2015 16:19:31 -0700 (PDT) [thread overview]
Message-ID: <alpine.LRH.2.03.1508261542090.18174@carhart.net> (raw)
I happened to be in the section on user-agent spoofing in the manual. I
recently listened to a fascinating talk from an Infosec dude called Nick
Nikiforakis, and I can report back with chagrin that in its simplest
form, just calling yourself a Mozilla may no longer fly depending on what
kind of website the user is trying to go to. It's astonishing the kinds
of devious tricks they use. In addition to reading the settable user
agent string, they test hundreds of things over javascript, and create a
unique hash based on the answers.
For instance, they attempt to generate some text in a given font. If the
browser returns "I don't have it," this amounts to the answer to a
yes-or-no question. Do that for hundreds of fonts and you have quite a
unique hash.
Another one is that they will run a script that carries out some floating
point math. Then they examine the sequence of numbers in the extended
decimal places. This may have a consistency which can be used as part of
a fingerprint. What a nuisance. They overlay as many of these tests as
they can. It stands to reason that the most commercial sites would leave
no stone unturned, but I still slapped my forehead, "of course."
So for pages like startpage.com, which "won't let you in the door unless
you look like one of the major players," or the old example of an online
banking site, just setting ua1, ua2, will unfortunately be of declining
effectiveness if more sites use fingerprinting. Startpage could have new
ways of saying "We don't think you are really a new Mozilla as you claim."
Kevin
--------
Kevin Carhart * 415 225 5306 * The Ten Ninety Nihilists
next reply other threads:[~2015-08-26 23:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-26 23:19 Kevin Carhart [this message]
2015-08-27 5:34 ` Chris Brannon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LRH.2.03.1508261542090.18174@carhart.net \
--to=kevin@carhart.net \
--cc=edbrowse-dev@lists.the-brannons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).