Google To Phase Out User-Agent Strings in Chrome (zdnet.com) 119
Google has announced plans today to phase out the usage of user-agent strings in its web browser Chrome. From a report: UA strings have been developed part of the Netscape browser in the 90s, and have been in use ever since. For decades, websites have used UA strings to fine-tune features based on a visitor's technical specifications. But now, Google says that this once-useful mechanism has become a constant source of problems, on different fronts. For starters, UA strings have been used by online advertisers as a way to track and fingerprint website visitors. "On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites) , and sites (including Google properties) being broken in some browsers for no good reason," said Yoav Weiss, a Google engineer working on the Chrome browser.
To address these issues, Google said it plans to phase out the importance of UA strings in Chrome by freezing the standard as a whole. Google's plan is to stop updating Chrome's UA component with new strings (the UA string text that Chrome shares with websites). The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.
To address these issues, Google said it plans to phase out the importance of UA strings in Chrome by freezing the standard as a whole. Google's plan is to stop updating Chrome's UA component with new strings (the UA string text that Chrome shares with websites). The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.
How many Broken Enterprise Apps? (Score:1)
I can see a lot of "Enterprise" Apps being broken, because they were designed to read the UA strings, even if they didn't do anything with them, the fact that they are looking to read it could cause problems. Probably as a security feature to make sure those crazy guys who use to telent to port 80 were stopped.
Re: (Score:1)
From the summary
> The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.
Re: (Score:2)
With a standardized UA string, that will be used by other applications, that goes away.
Re: (Score:2)
And with the move to silent updates all of the time by everything, the default assumption of "most current version" is likely now a good one, further reducing the need for a UA string.
Whether or not software being able to phone home and keep itself updated at all times is a good thing is an entirely different question.
Re: (Score:2)
And your assumption things keep updated
Re: (Score:2)
>"And your assumption things keep updated is simply wrong, for phones. "
Not just for phones. For some environments, it is extremely difficult to roll out a new browser version (especially a major one) without tons of time testing, configuring, customizing, training, etc. So not everyone can do "automatic" version updates, or certainly not at the ideal speed. It could take weeks or months. It is exactly the reason that Mozilla offers Firefox ESR, for example.
It is bad to assume (from a web server prog
Re: (Score:2)
Re: (Score:2, Insightful)
* Pre-emptively delivering optimised content which is a huge market (same content, different format). * Determining which range of browsers to support through popularity. * Security, which ironically is a double edged sword, IE, you can detect vulnerable versions for good or bad. * Content negotiation based on audience which similar to security can be used for good or bad (diffe
Re: (Score:2)
Re: (Score:2)
Welcome to slashdot. Please press the "quote" button and observe the tags it generates, and use those tags for quoting.
Talk about less different things in a post. That way it makes more sense to reply. When you upload your entire thought process and include the asides, it makes it hard to respond in a constructive way.
The whole thing is simple. When they say, "UA strings have been used by online advertisers as a way to track and fingerprint website visitors." What they actually mean is, they're one of the p
Re: (Score:3)
I'm sorry, but I know a little bit about UA, as most developers do. I am genuinely interested in how you come up with this stuff.
> How many websites depend on the user agent for device detection? Literally millions. It's used significantly for things such as:
Since they can be faked, they aren't any different than query strings except now you have a wholly different code chain to verify the text in a header.
> * Pre-emptively delivering optimised content which is a huge market (same content, different f
Re: (Score:2)
Determining which range of browsers to support through popularity.
How does that work when I used Opera from 2003 to 2010, and edited the string to reflect a modern version of IE, to avoid the "your browser is not supported" messages that simply ban browsers for being untested (which should have gotten everyone fired, assume they are IE compatible and build for IE, but don't enforce the rules by banning perfectly good browsers).
But in using a more secure and faster browser, I also added to the IE statistics. Too bad there wasn't an "I'm lying" tag to add to the string, s
Re: How many Broken Enterprise Apps? (Score:2)
Flash was removed because it crushes battery life and because nothing of value was ever made in Flash. There was a very compelling reason to remove it, and no reason not to.
Re: (Score:2)
>"Flash was removed because it crushes battery life "
And was replaced with stupid, unnecessary, never-ending animations and auto-play video. Which, unsurprisingly, crushes battery life (in addition to being extremely irritating).
Re: How many Broken Enterprise Apps? (Score:2)
I don't think simple CSS animations are a problem. Phones already animate everything. It's true that video is the new Flash. Nothing important was ever put on the Internet in video form, so you can just disable it.
Re: (Score:3)
Re: How many Broken Enterprise Apps? (Score:2)
Wrong: if you know how to use telnet to make HTTP requests then itâ(TM)s only a small step further to add whatever UA string you like to the request header. I used to prepare my HTTP via telnet requests in a text editor and copy and paste in to the terminal as itâ(TM)s too easy to screw up protocol, path and host request headers when youâ(TM)re typing live and canâ(TM)t use backspace - from there itâ(TM)s easy enough to include UA.
Surely the way to stop telnet people is to use HTTP
I love it (Score:4, Interesting)
but how will they charge extra? (Score:3)
Re: (Score:2)
Re: (Score:3)
What's wrong with that?
I'm free to open two stores selling identical items, but the one in the low income area charges less per item than the one in the wealthy neighborhood just because poor folks don't have the money to give me higher profit margins. This is true even if the store in the wealthy neighborhood costs less to run because of reduced security requirements. If a business can segment markets for maximum profit based on physical location (either store location or customer IP address), why not base
Re:but how will they charge extra? (Score:4, Interesting)
Re: (Score:2)
You, of course, didn't bother to read my entire post and reacted with a knee-jerk response.
Read the parenthetical part of the last paragraph of my post you responded to (not including my sig) and get back to us.
Re: (Score:3)
Re: (Score:2)
He specifically said except protected classes. You jumped right into segmenting protected classes. That's stupid.
Also segmenting by value is common, done by many, and an economic theory to maximise profit. Just because you're looking at one geographic distance that doesn't reveal it doesn't mean it's not something that *every* company does.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You are assuming websites dont take steps to fingerprint, track, or identify your browser in other ways. For mobile devices screen resolution or size might be a thought?
Sure, but this will massively, MASSIVELY reduce the size of your browser fingerprint.
They can't do it soon enough, IMHO. All a browser really needs to know is "mouse" or "touch screen". There's no need to know my OS version or anything like that.
Interesting (Score:1)
I hope that spiders will continue to identify themselves as such.
Well, that's going to make life difficult for NAC (Score:2)
Most colleges that do NAC have a self-registration system that uses a captive portal
to download an agent application to users the first time they connect to the network.
In most cases this just checks that their system is patched and AV protected before
letting them on the network.
The application offered to the user, and the backend behavior, vary based on what
OS the user is using. Sometimes this involves bug workarounds for very specific
versions of OSes. Barring an overly complex setup where client traffic
Re: (Score:3)
"Hello Student. To get access to University of Foo's internal network you have to install our security app.
If you are using a Windows PC, click _here_
If you are using a Macintosh, click _here_"
I just solved your problem, that'll be a $10k consultancy fee.
Re: (Score:2)
Don't listen to him. I'll do it for $9500. He's overcharging.
Re: (Score:2)
I'd imagine a few non-technical users don't even know whether they are using a Windows PC, a Mac, or a Chromebook. Where would they click?
Re: (Score:2)
It's not just a matter of installing the correct agent on the user side. The built-in captive portal support -- which is supposedly there to help support just this sort of thing -- changes it's behavior from rev to rev especially on Apple, where we actually have to keep state in the portal because you have to do a special secret handshake where you allow one captive portal detection probe to go through then deny the next one from the CPA agent, but still allow them from Safari's agent once the user clicks
Re: (Score:2)
Why do you have to treat CPA and Safari any differently? Does iOS or macOS attempt to automatically agree to terms without presenting them to the user?
Re: (Score:3)
Re: (Score:2)
I only support the porducts we buy. So don;t blame me. An entire industry went down this path. So changes like this have large impacts IRL... something googlers fail to take into account quite frequently.
Re: (Score:3, Funny)
stupid crap
The "stupid crap" is actually found on the other end of this particular scheme.
Re: Well, that's going to make life difficult for (Score:2)
And a bit more difficult for everybody. Usually, when I go to download software I automatically get the right version for my OS. I'll get an MSI on Windows, a DMG on OSX, or a deb/tgz on Linux. While it's not the worst thing in the world to have to choose that, it is one step backwards.
Google is a terrible offender themselves. (Score:5, Interesting)
Alternative headline: "Google finds alternative way to ID you in their system, deprecating old methods that are easy to fake".
I have a Firefox plugin that rotates my UA through recent versions of FF and Windows 8, 10 & Mac OS X. Google's sites are almost always guaranteed to fail.
Despite having 2FA, google has blocked me from logging in because "Something is suspicious". I'm claiming I'm on Firefox ~68 on Windows, nothing more.
Twitter complains 'something is suspicious' if you don't keep using the same user agent, but will still let you use the site. Nothing else fails, but Google won't let you log in.
Hell, getting around curl or requsets working 90% of the time is shoving a 'legitimate' browser in there.
Another Alternative (Score:5, Insightful)
Google disables user agent strings, encourages web sites to assume everyone is using Chrome and default to a chrome-optimized site.
Re: (Score:2)
Re: (Score:2)
>"Google disables user agent strings, encourages web sites to assume everyone is using Chrome and default to a chrome-optimized site."
I have no mod points, and was searching for this exact response. If anyone thinks Google is going this is going to help anyone but Google, they are probably mistaken. This is more likely a move to start to try and make all major browsers that are not Chrome but based on Chrom* look like Chrome; further solidifying their grip against the only two that are not Chom* (Firef
Re: Another Alternative (Score:2)
There was me thinking the exact opposite: perhaps they're worrying about declining market share/adoption of new versions and want to make this harder to detect? I stopped using Chrome years ago because itâ(TM)s a resource hog, long before I started avoiding it for privacy reasons. Iâ(TM)m sure itâ(TM)ll go the way of IE at some point in the future: once you get to the top, thereâ(TM)s only one way forward but down.
Re: (Score:2)
Re: (Score:2)
I have a Firefox plugin that rotates my UA through recent versions of FF and Windows 8, 10 & Mac OS X. Google's sites are almost always guaranteed to fail.
Despite having 2FA, google has blocked me from logging in because "Something is suspicious". I'm claiming I'm on Firefox ~68 on Windows, nothing more.
My guess is that the culprit is ML. I don't know anything about the system used for detecting malicious/abusive traffic, but it wouldn't surprise me at all if it incorporates some machine learning algorithm these days, and your rotating UA makes you a strange outlier that it triggers on as suspicious. Or maybe not. Maybe there is some attack that relies on, or inadvertently uses, rotating UA strings so it could also be a human-written rule. But I'd bet on ML.
I think getting rid of UAs is a better solu
Re: (Score:2)
1. It won't ever let me log in to the point of 'seeing' a rotating UA.
2. If I give you my password and my 2FA you let me in. My user agent is not any part of authentication. God forbid I have a lot of devices.
But I have a suspicion that it's more than that. They do let you log in with the native UA. So they must have some additional way of detecting I'm not actually using Firefox 68 on Windows 10. It's not a sophisticated plugin, but only Google has ever had an issue with it.
Re: (Score:2)
If I give you my password and my 2FA you let me in
Not necessarily. Particularly if it's an SMS-based 2FA, but even with more reliable 2FA systems, attackers can and do get hold of them. Google is actually extremely successful at accurately diagnosing out-of-pattern behavior that indicates attacks in progress and shutting them down, with very few false positives. I'm not sure what it is about your setup that causes the false positives. I wonder if it's not just the UA, though. Are you sure that it's the plugin that triggers the issue? And if so, are yo
Re: (Score:2)
Google image recaptcha also serves more captchas (harder), and slower if you change the UA. They obviously have some additional way to detect browser.
Re: Google is a terrible offender themselves. (Score:2)
That's dumb, though. The cookies identify the session. The server identifies the user with that session.
There's no logical reason to assume a UA switch is a new user, or even a new browser. Many (most?) browsers let you change it on the fly. And major browsers let you export/import cookies.
Not to mention using dumped cookies for debugging with curl or whatnot (though in these cases you can spoof the UA).
Its a total CROCK of poo (Score:2)
I'm all for it (Score:3)
Now it would be great if Google Chrome on Android also stopped sending the device name as part of a UA string. This is the reason I generally avoid this web browser.
And now while we are at it, it would be great if all web browsers stopped sending your GPU Vendor and ID as part of WebGL [browserleaks.com] Renderer Info (Unmasked Vendor and Unmasked Renderer).
Then it would be great if plugins [browserleaks.com] and installed fonts and were hidden by default and a hundred if not more various metrics which uniquely identify you.
That will still leave canvas and WebGL fingerprinting, JS timing attacks, audio recording processing attacks but we should start we something, shouldn't we?
Gee, Google probably thinks ... (Score:2)
... we own the engine that most browsers use now... why would anyone need to distinguish between different browsers?
Sounds like something a wannabee monopolist would do.
Re: (Score:2)
What can possibly go wrong with this? (Score:3)
If Chrome implements this, chrome users may find themselves blocked from visiting quite a large number of websites.
And those users will probably switch to a different browser long before the website changes to accomodate no user-agent string.
Re: (Score:2)
If Chrome implements this, chrome users may find themselves blocked from visiting quite a large number of websites.
Isn't that proof of many poorly authored websites?
Re:What can possibly go wrong with this? (Score:4, Insightful)
Of course, but that doesn't mean that the chrome users will not be switching browsers when chrome stops working for them.
The fact that it might be the website's fault is irrelevant.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Most obviously, the lack of any platform specified in the UA string.
This is almost ceratin to cause some websites to deliver a desktop version of a website instead of a mobile one, and depending on the particular platform and what specific javascript code might be getting employed, it will simply fail on a lot of devices.
Re: (Score:2)
If Chrome implements this, chrome users may find themselves blocked from visiting quite a large number of websites.
Those websites would have a pretty strong financial incentive to update their code. Considering that they loose the majority of their visitors.
Google wants to own the Web (Score:2, Insightful)
Actually read the article, and more (Score:5, Informative)
Re: (Score:2)
"User agents SHOULD deprecate the User-Agent header in favor of the Client Hints model described in this document."
Re: (Score:2)
What set of Client Hints is Chrome going to use? Neither ZDNet nor the Chromium link they have seems to say so.
Related note: While looking for this, I discovered that Google is touting how they're going to disable third-party cookies [chromium.org] to make the web more "private." This is a little rich, considering that Google Analytics uses first-party cookies.
Re: (Score:3)
Google's obvious plan (Score:2)
They just want to prevent users from clicking that user-friendly, non-ad-friendly "Desktop site" button in Chrome for Android. They probably noticed that about 90% Chrome's traffic (my number) in mobile phones is clicking news articles shared from another app (usually to a media outlet or blog - types of pages which mostly rely on mobile versions to be extra-heavy on popup and page-blocking ads). A lot of people insta-switch to Desktop Site to see a less cluttered, sometimes even non-paywalled or "sign-in-w
Allow me to rephrase: More Ads for EVERYONE! (Score:2)
1. Serve more ads more ruthlessly with zero considerations for "view-ability" of an ad (so advertisers pay more but with fewer guarantees of impression quality).
2. Not just break some sites but rather, break all sites by being more careless for feature compatibility considerations (beyond just adverts but wholesale features which are implemented differently across browsers and devices).
3. Trying to develop a "long-game" to hopefully crush Mozilla Firefox by
Haven't parsed UA strings in a while (Score:2)
And, when I did, it was always to detect Internet Explorer and attempt to work around it's deficiencies. So I can't see that this change will matter much to us.
Re: (Score:2)
>"And, when I did, it was always to detect Internet Explorer and attempt to work around it's deficiencies. So I can't see that this change will matter much to us."
It will if sites stop caring which browser the client is using *AND* they program it to be only Chom* compliant (using "enhancements" that Google has added, just like IE did) instead of standards compliant. At that point, the "web" will break for anyone using the only two major browsers left- Firefox and Safari.
Re: (Score:2)
While I test against all major browsers, UA sniffing has never been particularly relevant because I refuse to write browser-specific code. My "IE sniffing" has been done mainly to pop up warnings about how one application or another won't work correctly in an MS browser, so they'll know they need to fire up Firefox or whatever.
Generally that's been for internal web applications, where we have more latitude regarding what browsers we want people using.
Minority browser (Score:2)
So in reality, Google did this to themselves by blocking those same minority brows
Web browsers should not define standards (Score:2)
UA is good for debugging (Score:2)
Re: (Score:2)
Re: (Score:2)
Malware uses User-Agent (Score:2)
I've seen a number of spam emails which contain links to a redirection site that checks User-Agent and/or HTTP-Accept.
It only redirects to the malicious content if it likes what it sees in User-Agent and HTTP-Accept. Otherwise, it just redirects to google.com or yahoo.com or some such. Just playing with the User-Agent and Accept strings with curl, I can get one behavior or the other.
Re: (Score:2)
That is true... and you can bet the Malware are still going to fingerprint the browser;
this change is just going to force the malware to adapt and do something more obscure that will be much harder to analyze.
Re: (Score:2)
And one today that returns the Apache "you haven't built a web site yet" page unless the user agent matches the intended target.
Re: (Score:3)
Hint: You can fake any UA string you like. You've been able to do it since browsers first included one.
And, beyond that, almost all browsers are Chromium based anyway - even Edge as of next week.
No, the standard should make it clear (Score:3)
User agents are basically a hack that allows browser developers and standards committees to be lazy and sloppy. There shouldn't be differences in behavior between browsers. That's the point of having a standard to begin with. If the standard says what to do and the browser developer doesn't do it, that's a bug in the browser's impleme
Devil's advocate (Score:3)
So yeah, it makes sense to be cautious of Google saying this in particular, even if they're right in theory.
Re: (Score:2)
>"I'll play both sides here because a good counter-argument to myself just occurred to me. While ideally, things should work the way I outlined above, Google being in a market-dominant position has no incentive to actually abide by the specification."
LOL- I did the exact same thing in a posting 30 minutes ago, before I saw yours. I hate UA and what horrible things were done with it. But GOOGLE isn't necessarily doing it for the right reasons at all.
So +1 Insightful to you with my imaginary mod points.
Re: (Score:2)
Capability testing is the alternative and it has been a best practice for a long time - even though adoption has been poor. Try to create an object and then use proper error-handling to fall back to another standard.
What good is UA sniffing if you can't possibly keep track of all the derivatives? It relies on knowing every permutation rather than checking for what you need.
How to create an object without JS? (Score:2)
Try to create an object
Say you want to test for HTML capability, CSS capability, image decoding capability, audio decoding capability, video decoding capability, ability to execute a downloadable native application installer designed for a particular platform, or a particular platform's GUI styling to which you intend to conform. How do you "create an object" on a browser whose user has not turned on JavaScript for your domain?
Re: (Score:2)
You don't. There's no need to support insecure outdated browsers.
However, CSS should always be designed such as it can fall back to accessible or you'd be leaving out screen readers and the like.
Are you saying that user agents are used to determine whether JPEGs are inserted server-side? They're not. I'm only talking about where user agent sniffing actually makes sense. And if one more web site tries to direct me to the Windows installer when I'm trying to download for another platform from Windows, I wi
Re: (Score:2)
Say you want to test for [HTML features that don't involve JavaScript] on a browser whose user has not turned on JavaScript
You don't. There's no need to support insecure outdated browsers.
Unless I'm misunderstanding you, you appear to be calling browsers with JavaScript turned off "insecure outdated browsers." What in particular makes the current version of Firefox with the NoScript extension and the current version of Google Chrome with the NoScript extension "insecure" or "outdated"?
Are you saying that user agents are used to determine whether JPEGs are inserted server-side? They're not.
I'm talking about "Is this browser new enough to support WebP? If so, send WebP. If not, send JPEG." Or should that be done through Accept: instead?
Re: (Score:2)
Unless I'm misunderstanding you, you appear to be calling browsers with JavaScript turned off "insecure outdated browsers." What in particular makes the current version of Firefox with the NoScript extension and the current version of Google Chrome with the NoScript extension "insecure" or "outdated"?
No - I'm talking about fallback within Javascript. Web sites should always have a fallback mechanism for no javascript unless they are literally JS web apps. You don't need to server two versions of a site to make that happen.
I'm talking about "Is this browser new enough to support WebP? If so, send WebP. If not, send JPEG." Or should that be done through Accept: instead?
Where does UA sniffing come into play?
<picture>
<source type="image/webp" srcset="image.webp">
<source type="image/jpeg" srcset="image.jpg">
<img src="image.jpg" alt="My Image"
Re: (Score:2)
Web sites should always have a fallback mechanism for no javascript unless they are literally JS web apps.
Some browsers with JavaScript turned off have a particular CSS feature. Other browsers with JavaScript turned off lack this particular CSS feature. Without a User-agent field, and without JavaScript, how can the server know whether to serve the style sheet whose visual portion is optimized for browsers that have the feature or the style sheet whose visual portion is optimized for browsers that lack it? As for your previous comment:
Re: (Score:2)
how can the server know whether to serve the style sheet whose visual portion is optimized for browsers that have the feature or the style sheet whose visual portion is optimized for browsers that lack it?
If you're building a web site in the 2010s or 2020s where you are sending different content at the server side depending on request headers, you're doing it very wrong. Whether it's desktop browser, Lynx, mobile phone, screen reader or set top box, you design one version of a page and you take into account all the layers of fallback necessary to have a usable design no matter what.
Re: (Score:2)
Different browsers handle HTML differently on different platforms.
If the app devs can't adjust for it, won't there be cases where it looks broken or it just doesn't work?
Why should millions of websites write specific code to cater to lazy / shitty devs that don't don't write a browser to conform to well defined specs? Write the site to HTML / CSS specs and if it doesn't work in a specific browser, make the damn browser devs fix their shit. This goes for Google too, if Chrome isn't rendering the spec properly the sites can tell the users to bitch at the devs ( bonus points for linking to the Chrome feedback area ).
If the websites have to code around broken shit for every bro
Re: (Score:2)
We don't need 6 different websites written for the same page. We need one website written to standards and the fucking browsers to display the standardized code properly.
What are the "standards" for relative placement of the "Cancel" button and the verb button ("Save" or "Send" or whatever)? Windows has Cancel on right; macOS has Cencel on left.
Re: (Score:3)
Re: (Score:2)
UA strings no longer have their uses. It's been used for literal decades as a way to lock out Chrome users from sites that would otherwise work just fine. Nobody should use UA-sniffing for determining capabilities - it relies on each site keeping track of a massive list permutations of rendering engines and their derivatives.
Re: (Score:2)
Re: Hopefully this will destroy all mobile website (Score:2)
The only time mobile sites are any good is when they precede the desktop site and mobile app.
Re: Who can forget the "Borked" version of Opera? (Score:2)
Is there anything of any value on MSN home page? I canâ(TM)t say Iâ(TM)ve ever spent any time on it. Over the years, MSN and Bing have been two of the biggest pain in the arse websites for me because theyâ(TM)ve been there default home page in IE, which I only ever use via RDP on a remote machine Iâ(TM)m managing. Why the hell Microsoft would default to an overly busy page full of animations that kills RDP performance until you can navigate off it on a server OS has always made me wond
You mean like YouTube did/does for Firefox? (Score:2)
Google intentionally and deliberately made YouTube work differently with Firefox, in a way that made it very slow and annoying.
This was part of the bigger plan to eradicate all other browsers.
One element of which being, to create so many stupid web APIs in such a short amount of time, that no other developer could keep up.
Even Firefox nearly died from this, and is still struggling. It is also, why new versions get released so frequently.
So if you ever wondered why Firefox is so bloated too. Why they both se