Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Chrome Google The Internet IT

Google To Phase Out User-Agent Strings in Chrome (zdnet.com) 119

Posted by msmash from the up-next dept.
Google has announced plans today to phase out the usage of user-agent strings in its web browser Chrome. From a report: UA strings have been developed part of the Netscape browser in the 90s, and have been in use ever since. For decades, websites have used UA strings to fine-tune features based on a visitor's technical specifications. But now, Google says that this once-useful mechanism has become a constant source of problems, on different fronts. For starters, UA strings have been used by online advertisers as a way to track and fingerprint website visitors. "On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites) , and sites (including Google properties) being broken in some browsers for no good reason," said Yoav Weiss, a Google engineer working on the Chrome browser.

To address these issues, Google said it plans to phase out the importance of UA strings in Chrome by freezing the standard as a whole. Google's plan is to stop updating Chrome's UA component with new strings (the UA string text that Chrome shares with websites). The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.
This discussion has been archived. No new comments can be posted.

Google To Phase Out User-Agent Strings in Chrome More

Google To Phase Out User-Agent Strings in Chrome

Comments Filter:

  • I can see a lot of "Enterprise" Apps being broken, because they were designed to read the UA strings, even if they didn't do anything with them, the fact that they are looking to read it could cause problems. Probably as a security feature to make sure those crazy guys who use to telent to port 80 were stopped.

    • From the summary

      > The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.

    • the enterprise thing it will mess up is security and configuration monitoring. Currently UA is a easy way of tracking the type and versions of software being used, and then is there is very rare chance that some malware will have a mistake in the falsified UA string.
      With a standardized UA string, that will be used by other applications, that goes away.

      • And with the move to silent updates all of the time by everything, the default assumption of "most current version" is likely now a good one, further reducing the need for a UA string.

        Whether or not software being able to phone home and keep itself updated at all times is a good thing is an entirely different question.

        • Re: (Score:2)

          by AK Marc ( 707885 )
          IT also helps to simplify support. I can't run Netlfix on my phone. A "global" phone, it doesn't return an expected Android version to Netflix, so Netflix will not run. Because of a mismatch between versions stated and versions expected. If versioning was simplified to 1.x versioning reported to apps, rather than 1.2.3.4.5.6.789 versioning, where an ommission/error on either side could result in a valid version that should work getting reported as "not supported"

          And your assumption things keep updated

          • >"And your assumption things keep updated is simply wrong, for phones. "

            Not just for phones. For some environments, it is extremely difficult to roll out a new browser version (especially a major one) without tons of time testing, configuring, customizing, training, etc. So not everyone can do "automatic" version updates, or certainly not at the ideal speed. It could take weeks or months. It is exactly the reason that Mozilla offers Firefox ESR, for example.

            It is bad to assume (from a web server prog

            • Re: (Score:2)

              by AK Marc ( 707885 )
              There needs to be a pop-up warning for an unsupported browser, then render anyway. The "evil" is failing to send the HTML because you didn't like something in the user-agent string. I used Opera for years, as it was much better than IE, and I liked it better than the alternatives at the time. The User-Agent String was always manually set, as failure to do so would generally get me lots of blocked pages. But if I lied to the "your browser isn't supported" pages, it usually rendered better than in the "su

    • Re: (Score:2, Insightful)

      by JoeyDot ( 5981942 )
      How many websites depend on the user agent for device detection? Literally millions. It's used significantly for things such as:

      * Pre-emptively delivering optimised content which is a huge market (same content, different format). * Determining which range of browsers to support through popularity. * Security, which ironically is a double edged sword, IE, you can detect vulnerable versions for good or bad. * Content negotiation based on audience which similar to security can be used for good or bad (diffe
      • Comment removed based on user account deletion

      • Welcome to slashdot. Please press the "quote" button and observe the tags it generates, and use those tags for quoting.

        Talk about less different things in a post. That way it makes more sense to reply. When you upload your entire thought process and include the asides, it makes it hard to respond in a constructive way.

        The whole thing is simple. When they say, "UA strings have been used by online advertisers as a way to track and fingerprint website visitors." What they actually mean is, they're one of the p

      • Re: (Score:3)

        by Jack9 ( 11421 )

        I'm sorry, but I know a little bit about UA, as most developers do. I am genuinely interested in how you come up with this stuff.

        > How many websites depend on the user agent for device detection? Literally millions. It's used significantly for things such as:

        Since they can be faked, they aren't any different than query strings except now you have a wholly different code chain to verify the text in a header.

        > * Pre-emptively delivering optimised content which is a huge market (same content, different f

      • Re: (Score:2)

        by AK Marc ( 707885 )

        Determining which range of browsers to support through popularity.

        How does that work when I used Opera from 2003 to 2010, and edited the string to reflect a modern version of IE, to avoid the "your browser is not supported" messages that simply ban browsers for being untested (which should have gotten everyone fired, assume they are IE compatible and build for IE, but don't enforce the rules by banning perfectly good browsers).

        But in using a more secure and faster browser, I also added to the IE statistics. Too bad there wasn't an "I'm lying" tag to add to the string, s

      • Flash was removed because it crushes battery life and because nothing of value was ever made in Flash. There was a very compelling reason to remove it, and no reason not to.

        • >"Flash was removed because it crushes battery life "

          And was replaced with stupid, unnecessary, never-ending animations and auto-play video. Which, unsurprisingly, crushes battery life (in addition to being extremely irritating).

    • Comment removed based on user account deletion

    • Wrong: if you know how to use telnet to make HTTP requests then itâ(TM)s only a small step further to add whatever UA string you like to the request header. I used to prepare my HTTP via telnet requests in a text editor and copy and paste in to the terminal as itâ(TM)s too easy to screw up protocol, path and host request headers when youâ(TM)re typing live and canâ(TM)t use backspace - from there itâ(TM)s easy enough to include UA.

      Surely the way to stop telnet people is to use HTTP

  • I love it (Score:4, Interesting)

    by jader3rd ( 2222716 ) on Tuesday January 14, 2020 @01:28PM (#59619878)
    Too many websites screw it up anyway. It's so sad to be able to fix a broken website by just changing the UA string.
    • but now how will websites charge some people higher prices [lifehacker.com] based on their browser/OS/hardware choices?
      • That's an actual thing? That's just plain evil, wrong, and probably should be illegal.

        • Re: (Score:3)

          by uncqual ( 836337 )

          What's wrong with that?

          I'm free to open two stores selling identical items, but the one in the low income area charges less per item than the one in the wealthy neighborhood just because poor folks don't have the money to give me higher profit margins. This is true even if the store in the wealthy neighborhood costs less to run because of reduced security requirements. If a business can segment markets for maximum profit based on physical location (either store location or customer IP address), why not base

          • Re:but how will they charge extra? (Score:4, Interesting)

            by Rick Schumann ( 4662797 ) on Tuesday January 14, 2020 @07:14PM (#59621440) Journal
            Ah, I see. So by your logic it's probably also okay to have two products, identical on the inside, but one labeled 'for men' and one labeled 'for women', and charge women (or men) more for their otherwise identical products? How about one marketed to blacks and one marketed to whites, identical otherwise, but you charge the blacks (or whites) more for it? You still okay with this logic of yours? It's identical logic.

            • Re: (Score:2)

              by uncqual ( 836337 )

              You, of course, didn't bother to read my entire post and reacted with a knee-jerk response.

              Read the parenthetical part of the last paragraph of my post you responded to (not including my sig) and get back to us.

              • Oh no no no I read all of it and it's 'status quo' discriminatory bullshit. If you actually think that way and honestly believe it's right and good and normal then you should feel bad about that. FFS I'm a middle-aged white dude like you very likely are and I just don't think that way.

            • He specifically said except protected classes. You jumped right into segmenting protected classes. That's stupid.

              Also segmenting by value is common, done by many, and an economic theory to maximise profit. Just because you're looking at one geographic distance that doesn't reveal it doesn't mean it's not something that *every* company does.

              • Why should anyone pay more or less for the same product or service, for any reason? Rhetorical question, they shouldn't.

    • Re: (Score:2)

      by mr5oh ( 1050964 )
      You are assuming websites dont take steps to fingerprint, track, or identify your browser in other ways. For mobile devices screen resolution or size might be a thought? This also only works if everyone else does it. Honestly I dont like the idea. For example I cant stand mobile pages, so right now Im posting this from my phone, using Firefox with a modified useragent so the webpage thinks Im using W10, FF 71, so I always see Desktop pages.

      • You are assuming websites dont take steps to fingerprint, track, or identify your browser in other ways. For mobile devices screen resolution or size might be a thought?

        Sure, but this will massively, MASSIVELY reduce the size of your browser fingerprint.

        They can't do it soon enough, IMHO. All a browser really needs to know is "mouse" or "touch screen". There's no need to know my OS version or anything like that.

  • I hope that spiders will continue to identify themselves as such.

  • Most colleges that do NAC have a self-registration system that uses a captive portal
    to download an agent application to users the first time they connect to the network.
    In most cases this just checks that their system is patched and AV protected before
    letting them on the network.

    The application offered to the user, and the backend behavior, vary based on what
    OS the user is using. Sometimes this involves bug workarounds for very specific
    versions of OSes. Barring an overly complex setup where client traffic

    • Re: (Score:3)

      by athmanb ( 100367 )

      "Hello Student. To get access to University of Foo's internal network you have to install our security app.

      If you are using a Windows PC, click _here_

      If you are using a Macintosh, click _here_"

      I just solved your problem, that'll be a $10k consultancy fee.

      • Don't listen to him. I'll do it for $9500. He's overcharging.

      • Re: (Score:2)

        by tepples ( 727027 )

        I'd imagine a few non-technical users don't even know whether they are using a Windows PC, a Mac, or a Chromebook. Where would they click?

      • Re: (Score:2)

        by skids ( 119237 )

        It's not just a matter of installing the correct agent on the user side. The built-in captive portal support -- which is supposedly there to help support just this sort of thing -- changes it's behavior from rev to rev especially on Apple, where we actually have to keep state in the portal because you have to do a special secret handshake where you allow one captive portal detection probe to go through then deny the next one from the CPA agent, but still allow them from Safari's agent once the user clicks

        • Re: (Score:2)

          by tepples ( 727027 )

          Why do you have to treat CPA and Safari any differently? Does iOS or macOS attempt to automatically agree to terms without presenting them to the user?

    • You used UAs in a way they were never intended and now you're upset when they changed the unwritten rules?

      • Re: (Score:2)

        by skids ( 119237 )

        I only support the porducts we buy. So don;t blame me. An entire industry went down this path. So changes like this have large impacts IRL... something googlers fail to take into account quite frequently.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      stupid crap

      The "stupid crap" is actually found on the other end of this particular scheme.

    • And a bit more difficult for everybody. Usually, when I go to download software I automatically get the right version for my OS. I'll get an MSI on Windows, a DMG on OSX, or a deb/tgz on Linux. While it's not the worst thing in the world to have to choose that, it is one step backwards.

  • Google is a terrible offender themselves. (Score:5, Interesting)

    by 0100010001010011 ( 652467 ) on Tuesday January 14, 2020 @01:33PM (#59619916)

    Alternative headline: "Google finds alternative way to ID you in their system, deprecating old methods that are easy to fake".

    I have a Firefox plugin that rotates my UA through recent versions of FF and Windows 8, 10 & Mac OS X. Google's sites are almost always guaranteed to fail.

    Despite having 2FA, google has blocked me from logging in because "Something is suspicious". I'm claiming I'm on Firefox ~68 on Windows, nothing more.

    Twitter complains 'something is suspicious' if you don't keep using the same user agent, but will still let you use the site. Nothing else fails, but Google won't let you log in.

    Hell, getting around curl or requsets working 90% of the time is shoving a 'legitimate' browser in there.

    • Another Alternative (Score:5, Insightful)

      by JBMcB ( 73720 ) on Tuesday January 14, 2020 @01:55PM (#59620042)

      Google disables user agent strings, encourages web sites to assume everyone is using Chrome and default to a chrome-optimized site.

      • Comment removed based on user account deletion

      • >"Google disables user agent strings, encourages web sites to assume everyone is using Chrome and default to a chrome-optimized site."

        I have no mod points, and was searching for this exact response. If anyone thinks Google is going this is going to help anyone but Google, they are probably mistaken. This is more likely a move to start to try and make all major browsers that are not Chrome but based on Chrom* look like Chrome; further solidifying their grip against the only two that are not Chom* (Firef

      • There was me thinking the exact opposite: perhaps they're worrying about declining market share/adoption of new versions and want to make this harder to detect? I stopped using Chrome years ago because itâ(TM)s a resource hog, long before I started avoiding it for privacy reasons. Iâ(TM)m sure itâ(TM)ll go the way of IE at some point in the future: once you get to the top, thereâ(TM)s only one way forward but down.

      • Re: (Score:2)

        by fintux ( 798480 )
        Also there's another story that Google wants to phase out cookies (https://tech.slashdot.org/story/20/01/14/1844252/cookies-track-you-across-the-internet-google-plans-to-phase-them-out). They want to have nearly complete control over advertising on the web. Actually, they want to have nearly complete control over the web in general.

    • I have a Firefox plugin that rotates my UA through recent versions of FF and Windows 8, 10 & Mac OS X. Google's sites are almost always guaranteed to fail.

      Despite having 2FA, google has blocked me from logging in because "Something is suspicious". I'm claiming I'm on Firefox ~68 on Windows, nothing more.

      My guess is that the culprit is ML. I don't know anything about the system used for detecting malicious/abusive traffic, but it wouldn't surprise me at all if it incorporates some machine learning algorithm these days, and your rotating UA makes you a strange outlier that it triggers on as suspicious. Or maybe not. Maybe there is some attack that relies on, or inadvertently uses, rotating UA strings so it could also be a human-written rule. But I'd bet on ML.

      I think getting rid of UAs is a better solu

      • 1. It won't ever let me log in to the point of 'seeing' a rotating UA.
        2. If I give you my password and my 2FA you let me in. My user agent is not any part of authentication. God forbid I have a lot of devices.

        But I have a suspicion that it's more than that. They do let you log in with the native UA. So they must have some additional way of detecting I'm not actually using Firefox 68 on Windows 10. It's not a sophisticated plugin, but only Google has ever had an issue with it.

        • If I give you my password and my 2FA you let me in

          Not necessarily. Particularly if it's an SMS-based 2FA, but even with more reliable 2FA systems, attackers can and do get hold of them. Google is actually extremely successful at accurately diagnosing out-of-pattern behavior that indicates attacks in progress and shutting them down, with very few false positives. I'm not sure what it is about your setup that causes the false positives. I wonder if it's not just the UA, though. Are you sure that it's the plugin that triggers the issue? And if so, are yo

        • Google image recaptcha also serves more captchas (harder), and slower if you change the UA. They obviously have some additional way to detect browser.

  • Alphabet is simply exercsing muscle here to solidify dominance.

  • I'm all for it (Score:3)

    by Artem S. Tashkinov ( 764309 ) on Tuesday January 14, 2020 @01:34PM (#59619924) Homepage

    Now it would be great if Google Chrome on Android also stopped sending the device name as part of a UA string. This is the reason I generally avoid this web browser.

    And now while we are at it, it would be great if all web browsers stopped sending your GPU Vendor and ID as part of WebGL [browserleaks.com] Renderer Info (Unmasked Vendor and Unmasked Renderer).

    Then it would be great if plugins [browserleaks.com] and installed fonts and were hidden by default and a hundred if not more various metrics which uniquely identify you.

    That will still leave canvas and WebGL fingerprinting, JS timing attacks, audio recording processing attacks but we should start we something, shouldn't we?

  • ... we own the engine that most browsers use now... why would anyone need to distinguish between different browsers?

    Sounds like something a wannabee monopolist would do.

    • Most competing browsers have to spoof UA string to appear to be chrome anyway, otherwise some sites just refuse to load. The less sites can rely on this string the better.

  • If Chrome implements this, chrome users may find themselves blocked from visiting quite a large number of websites.

    And those users will probably switch to a different browser long before the website changes to accomodate no user-agent string.

    • If Chrome implements this, chrome users may find themselves blocked from visiting quite a large number of websites.

      Isn't that proof of many poorly authored websites?

    • Comment removed based on user account deletion

      • Re: (Score:2)

        by mark-t ( 151149 )
        They wouldn't do so intentionally, but when people start using this version of Chrome, some websites might block them initially because they haven't been updated yet to recognize that it can't count on the user-agent string to recognize what browser the person is connecting with. By the time the websites are updated, Chrome users who used those websites will have already switched to other browsers.
        • Comment removed based on user account deletion

          • Re: (Score:2)

            by mark-t ( 151149 )

            Most obviously, the lack of any platform specified in the UA string.

            This is almost ceratin to cause some websites to deliver a desktop version of a website instead of a mobile one, and depending on the particular platform and what specific javascript code might be getting employed, it will simply fail on a lot of devices.

    • Re: (Score:2)

      by dmt0 ( 1295725 )

      If Chrome implements this, chrome users may find themselves blocked from visiting quite a large number of websites.

      Those websites would have a pretty strong financial incentive to update their code. Considering that they loose the majority of their visitors.

  • I see this as a power-play by Google to define the standards for everyone else whether they like it or not. Should there be one standard? Yes. Should one tech company be allowed to define (read as: 'own') it? Probably not.

  • Actually read the article, and more (Score:5, Informative)

    by kingbilly ( 993754 ) on Tuesday January 14, 2020 @01:57PM (#59620058)
    Everyone is harping on Google but after reading the article, then linked articles, then links - I wound up on a W3 standards draft that said UA should go the way of the dodo and to not rely on it. So why is everyone acting like Google thought this up by themselves? Safari already did this too.

  • They just want to prevent users from clicking that user-friendly, non-ad-friendly "Desktop site" button in Chrome for Android. They probably noticed that about 90% Chrome's traffic (my number) in mobile phones is clicking news articles shared from another app (usually to a media outlet or blog - types of pages which mostly rely on mobile versions to be extra-heavy on popup and page-blocking ads). A lot of people insta-switch to Desktop Site to see a less cluttered, sometimes even non-paywalled or "sign-in-w

  • Their strategy is clearly a multi-prong approach:

    1. Serve more ads more ruthlessly with zero considerations for "view-ability" of an ad (so advertisers pay more but with fewer guarantees of impression quality).

    2. Not just break some sites but rather, break all sites by being more careless for feature compatibility considerations (beyond just adverts but wholesale features which are implemented differently across browsers and devices).

    3. Trying to develop a "long-game" to hopefully crush Mozilla Firefox by

  • And, when I did, it was always to detect Internet Explorer and attempt to work around it's deficiencies. So I can't see that this change will matter much to us.

    • >"And, when I did, it was always to detect Internet Explorer and attempt to work around it's deficiencies. So I can't see that this change will matter much to us."

      It will if sites stop caring which browser the client is using *AND* they program it to be only Chom* compliant (using "enhancements" that Google has added, just like IE did) instead of standards compliant. At that point, the "web" will break for anyone using the only two major browsers left- Firefox and Safari.

      • While I test against all major browsers, UA sniffing has never been particularly relevant because I refuse to write browser-specific code. My "IE sniffing" has been done mainly to pop up warnings about how one application or another won't work correctly in an MS browser, so they'll know they need to fire up Firefox or whatever.

        Generally that's been for internal web applications, where we have more latitude regarding what browsers we want people using.

  • Just a few weeks ago, Vivaldi announced that it was going to set its browser to identify as Chrome except on certain (Vivaldi support generally) websites. As Vivaldi is yet another Chromium-based browser (like Chrome itself), the only real differences between it and Chrome should be the UI. But many websites (yes, includung Google websites) insist on blocking access to "minority browsers", hence Vivaldi did not see any choice.

    So in reality, Google did this to themselves by blocking those same minority brows
  • User agent strings should be ignored completely unless you have a very specific reason to care. I can guarantee that google is misusing User agent strings and as they aren't designed to track users, are running into issues using them. Quit pretending like you are defining the server protocol with your client side changes
  • When non-technical users have problems with websites we maintain, they often can't tell us what browser they are using, but we can often find the user in our access logs and check the user agent to get some idea of how to reproduce the issue (or just give them instructions for how to update/install a new browser). Without UA strings, this helpdesk assistance won't work.

  • I've seen a number of spam emails which contain links to a redirection site that checks User-Agent and/or HTTP-Accept.

    It only redirects to the malicious content if it likes what it sees in User-Agent and HTTP-Accept. Otherwise, it just redirects to google.com or yahoo.com or some such. Just playing with the User-Agent and Accept strings with curl, I can get one behavior or the other.

    • Re: (Score:2)

      by mysidia ( 191772 )

      That is true... and you can bet the Malware are still going to fingerprint the browser;
      this change is just going to force the malware to adapt and do something more obscure that will be much harder to analyze.

      • And one today that returns the Apache "you haven't built a web site yet" page unless the user agent matches the intended target.

Slashdot Top Deals

It appears that PL/I (and its dialects) is, or will be, the most widely used higher level language for systems programming. -- J. Sammet

Close