From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out.smtp-auth.no-ip.com (smtp-auth.no-ip.com [8.23.224.61]) by hurricane.the-brannons.com (Postfix) with ESMTPS id 0558B77AA9 for ; Wed, 26 Aug 2015 16:17:28 -0700 (PDT) X-No-IP: carhart.net@noip-smtp X-Report-Spam-To: abuse@no-ip.com Received: from carhart.net (unknown [99.52.200.227]) (Authenticated sender: carhart.net@noip-smtp) by smtp-auth.no-ip.com (Postfix) with ESMTPA id DB1BB4012CB for ; Wed, 26 Aug 2015 16:19:33 -0700 (PDT) Received: from carhart.net (localhost [127.0.0.1]) by carhart.net (8.13.8/8.13.8) with ESMTP id t7QNJV9s013809 for ; Wed, 26 Aug 2015 16:19:31 -0700 Received: from localhost (kevin@localhost) by carhart.net (8.13.8/8.13.8/Submit) with ESMTP id t7QNJVQW013804 for ; Wed, 26 Aug 2015 16:19:31 -0700 Date: Wed, 26 Aug 2015 16:19:31 -0700 (PDT) From: Kevin Carhart To: edbrowse-dev@lists.the-brannons.com Message-ID: User-Agent: Alpine 2.03 (LRH 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: [Edbrowse-dev] user agent spoofing X-BeenThere: edbrowse-dev@lists.the-brannons.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Edbrowse Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Aug 2015 23:17:28 -0000 I happened to be in the section on user-agent spoofing in the manual. I recently listened to a fascinating talk from an Infosec dude called Nick Nikiforakis, and I can report back with chagrin that in its simplest form, just calling yourself a Mozilla may no longer fly depending on what kind of website the user is trying to go to. It's astonishing the kinds of devious tricks they use. In addition to reading the settable user agent string, they test hundreds of things over javascript, and create a unique hash based on the answers. For instance, they attempt to generate some text in a given font. If the browser returns "I don't have it," this amounts to the answer to a yes-or-no question. Do that for hundreds of fonts and you have quite a unique hash. Another one is that they will run a script that carries out some floating point math. Then they examine the sequence of numbers in the extended decimal places. This may have a consistency which can be used as part of a fingerprint. What a nuisance. They overlay as many of these tests as they can. It stands to reason that the most commercial sites would leave no stone unturned, but I still slapped my forehead, "of course." So for pages like startpage.com, which "won't let you in the door unless you look like one of the major players," or the old example of an online banking site, just setting ua1, ua2, will unfortunately be of declining effectiveness if more sites use fingerprinting. Startpage could have new ways of saying "We don't think you are really a new Mozilla as you claim." Kevin -------- Kevin Carhart * 415 225 5306 * The Ten Ninety Nihilists