I happened to be in the section on user-agent spoofing in the manual. I recently listened to a fascinating talk from an Infosec dude called Nick Nikiforakis, and I can report back with chagrin that in its simplest form, just calling yourself a Mozilla may no longer fly depending on what kind of website the user is trying to go to. It's astonishing the kinds of devious tricks they use. In addition to reading the settable user agent string, they test hundreds of things over javascript, and create a unique hash based on the answers.
For instance, they attempt to generate some text in a given font. If the browser returns "I don't have it," this amounts to the answer to a yes-or-no question. Do that for hundreds of fonts and you have quite a unique hash.
Another one is that they will run a script that carries out some floating point math. Then they examine the sequence of numbers in the extended decimal places. This may have a consistency which can be used as part of a fingerprint. What a nuisance. They overlay as many of these tests as they can. It stands to reason that the most commercial sites would leave no stone unturned, but I still slapped my forehead, "of course."
So for pages like startpage.com, which "won't let you in the door unless you look like one of the major players," or the old example of an online banking site, just setting ua1, ua2, will unfortunately be of declining effectiveness if more sites use fingerprinting. Startpage could have new ways of saying "We don't think you are really a new Mozilla as you claim."
Kevin -------- Kevin Carhart * 415 225 5306 * The Ten Ninety Nihilists _______________________________________________ Edbrowse-dev mailing list [email protected] http://lists.the-brannons.com/mailman/listinfo/edbrowse-dev
