RE: [bug #57884] wget reveals my operating system to the server

2020-02-24 Thread Seymour J Metz 
Which raises far more serious security concerns than reporting browser 
capabilities.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: Bug-wget [bug-wget-bounces+smetz3=gmu@gnu.org] on behalf of Bruno 
Haible [br...@clisp.org]
Sent: Monday, February 24, 2020 6:42 AM
To: ge...@mweb.co.za; Tim Ruehsen
Cc: bug-wget
Subject: Re: [bug #57884] wget reveals my operating system to the server

ge...@mweb.co.za wrote:
> I wonder about the reason given: "To avoid compatibility issues."
> That was - if I recall correctly - the reason for having the string
> to start with: So that servers can format pages to suit the capabilities
> of the browser and version used.

That was how web applications were written 15-20 years ago. 10 years ago, the
browser capabilities are queried by the JavaScript toolkit [1][2]. Nowadays,
they prefer feature detection in JavaScript.

Bruno

[1] 
https://secure-web.cisco.com/1yxilmEYA0e_5D6kvA8W5Cqm4kLz7h7_Ye2VnfxQYqkm9N5qlYZSFt6ngcSYQysbe7ePDJeVOpzlAGq44PHRXdWMlXd6AozIn2B-QQ00LfnnlSynWCurXgcAyVxpnW-4s70vww8NvO8jBboJnb0vcvOoY4Rx_k9ak4zmgPbkDkmRc5OF5X7GXC5Sllh9M_A89zAoTeJ4Q5aHOU5M7io_xkP2-SV1t67Emos6BKN0Eixj9mejKPe27JFKXBVpgIzeXquux9HMR3XLEHe67qd5ojjG8LDkYJmPldP9JAz31DHH-WIJBk3RKoX6JyvOjzZjYCCw8itfdbd_0tS5m157ff-kv08SLGrOIQgjexjO7_zyer_-ihCJubx7krfmWMXGk8wwusXzNU3LtVCyYfDWC5cDJcGIpEP5GQ79aB23QXwkcLkZUEu03lkFPOXOPVWpY/https%3A%2F%2Fdojotoolkit.org%2Freference-guide%2F1.7%2Fquickstart%2Fbrowser-sniffing.html
[2] 
https://secure-web.cisco.com/1cdYJDVpsOUXTFN9ygkgkR4_DBO4vlgE2j2QphPYaQgLlsortmJpgrLdRCbCoQgTsynxSE5GISz85Qp1ck_jjAz0M4hrOQ5CHKVoXqtu11b50PX3AoxjXLI2VeCC_8_G5GHMYQxp32nRo5PYUX3yHcmHZYRjut_xzl7nWNWc4Eb0adTaI1r3raH9dBt1y_yn14Uk5U1Z27FhC_0DLCHG0Hx-mTj4tawa4dcVTUYfG8kXPHWqbvCzOQnITtFd7SCeJhHqcaM88nnVPn6MgmzAYnFkRQYgnj02brU4ODRHpIxCKd9oXc6J9gDoAB7dXs8SDxiLCrd3cyd_fbDRf8BlAlMg8xWvED1-4LV3Juv0xMN-4NIh6W3uBRoAdr6fI0iPO_WoaitaKdbrc852h-5hTjf6bXX7foXMoI8-iGl5IravBl05HyOXrugDaZ8rQ1VlD/https%3A%2F%2Fapi.jquery.com%2FjQuery.browser%2F

Re: [bug #57884] wget reveals my operating system to the server

2020-02-24 Thread Bruno Haible 
ge...@mweb.co.za wrote:
> I wonder about the reason given: "To avoid compatibility issues."
> That was - if I recall correctly - the reason for having the string
> to start with: So that servers can format pages to suit the capabilities
> of the browser and version used.

That was how web applications were written 15-20 years ago. 10 years ago, the
browser capabilities are queried by the JavaScript toolkit [1][2]. Nowadays,
they prefer feature detection in JavaScript.

Bruno

[1] https://dojotoolkit.org/reference-guide/1.7/quickstart/browser-sniffing.html
[2] https://api.jquery.com/jQuery.browser/

Re: [bug #57884] wget reveals my operating system to the server

2020-02-24 Thread Tim Rühsen 
On 2/24/20 11:58 AM, ge...@mweb.co.za wrote:
> Interesting - forcing a user agent string could be in violation of GDPR since 
> it would definitely make the user environments more identifiable. The 
> "fingerprinting" discussion refers. On the other hand, if all browsers 
> henceforth were to send the same string the opposite would be true. 
> 
> I wonder about the reason given: "To avoid compatibility issues." That was - 
> if I recall correctly - the reason for having the string to start with: So 
> that servers can format pages to suit the capabilities of the browser and 
> version used. If in the future all browsers were using the Chromium engine 
> this mechanism might no longer be needed and web pages would no longer need 
> to adjust for browser differences - although I can't see a world where all 
> browsers on all types of devices and all "other" client software would be 
> behaving identically. 

From the google link:
Alternative implementation suggestion for web developers

For many (most?) uses of UA sniffing today, a better tool for the job
would be to use feature detection. Where feature detection fails
developers, UA Client Hints are the right path forward.

https://wicg.github.io/ua-client-hints/

Regards, Tim

> 
> Gerd
>  
> 
> - Original Message -
> From: "Tim Ruehsen" 
> To: "Tim Ruehsen" , "Bruno Haible" , 
> gscriv...@gnu.org, "bug-wget" , dar...@gnu.org
> Sent: Monday, February 24, 2020 12:10:56 PM
> Subject: [bug #57884] wget reveals my operating system to the server
> 
> Follow-up Comment #6, bug #57884 (project wget):
> 
> There seem to be concerns and actions taken by browser vendors about regarding
> the User-Agent header. It's about "freezing" the User-Agent string once and
> for all to avoid compatibility issues.
> 
> Is this an option for us ?
> 
> https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ
> 
> https://techcommunity.microsoft.com/t5/discussions/new-privacy-oriented-feature-added-to-edge-82-freeze-user-agent/m-p/1165269
> 
> 
> ___
> 
> Reply to this item at:
> 
>   
> 
> ___
>   Message sent via Savannah
>   https://savannah.gnu.org/
> 



signature.asc
Description: OpenPGP digital signature

Re: [bug #57884] wget reveals my operating system to the server

2020-02-24 Thread ge...@mweb.co.za 
Interesting - forcing a user agent string could be in violation of GDPR since 
it would definitely make the user environments more identifiable. The 
"fingerprinting" discussion refers. On the other hand, if all browsers 
henceforth were to send the same string the opposite would be true. 

I wonder about the reason given: "To avoid compatibility issues." That was - if 
I recall correctly - the reason for having the string to start with: So that 
servers can format pages to suit the capabilities of the browser and version 
used. If in the future all browsers were using the Chromium engine this 
mechanism might no longer be needed and web pages would no longer need to 
adjust for browser differences - although I can't see a world where all 
browsers on all types of devices and all "other" client software would be 
behaving identically. 

Gerd
 

- Original Message -
From: "Tim Ruehsen" 
To: "Tim Ruehsen" , "Bruno Haible" , 
gscriv...@gnu.org, "bug-wget" , dar...@gnu.org
Sent: Monday, February 24, 2020 12:10:56 PM
Subject: [bug #57884] wget reveals my operating system to the server

Follow-up Comment #6, bug #57884 (project wget):

There seem to be concerns and actions taken by browser vendors about regarding
the User-Agent header. It's about "freezing" the User-Agent string once and
for all to avoid compatibility issues.

Is this an option for us ?

https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ

https://techcommunity.microsoft.com/t5/discussions/new-privacy-oriented-feature-added-to-edge-82-freeze-user-agent/m-p/1165269


___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #57884] wget reveals my operating system to the server

2020-02-24 Thread Tim Ruehsen 
Follow-up Comment #6, bug #57884 (project wget):

There seem to be concerns and actions taken by browser vendors about regarding
the User-Agent header. It's about "freezing" the User-Agent string once and
for all to avoid compatibility issues.

Is this an option for us ?

https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/-2JIRNMWJ7s/yHe4tQNLCgAJ

https://techcommunity.microsoft.com/t5/discussions/new-privacy-oriented-feature-added-to-edge-82-freeze-user-agent/m-p/1165269


___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/

[bug #57884] wget reveals my operating system to the server

2020-02-24 Thread Tim Ruehsen 
Follow-up Comment #5, bug #57884 (project wget):

I see the point but start be become curious about backwards compatibility and
about how browsers and other web clients behave.

Transmitting the OS type is likely not handled by GDPR, as it is likely not
considered "personal data" (data that is bound to a real person). Otherwise,
all the browser and tool vendors had been sued already.

Maybe we should bring this up on gnu-prog-disc ML for a broader discussion ?

Firefox
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101
Firefox/73.0

Chromium
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/80.0.3987.106 Safari/537.36

Konqueror
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like
Gecko) konqueror/5.0.97 Safari/534.34

Curl
User-Agent: curl/7.67.0

aria2c
User-Agent: aria2/1.35.0


___

Reply to this item at:

  

___
  Message sent via Savannah
  https://savannah.gnu.org/