Google To Phase Out User-Agent Strings in Chrome (zdnet.com) 94
Google has announced plans today to phase out the usage of user-agent strings in its web browser Chrome. From a report: UA strings have been developed part of the Netscape browser in the 90s, and have been in use ever since. For decades, websites have used UA strings to fine-tune features based on a visitor's technical specifications. But now, Google says that this once-useful mechanism has become a constant source of problems, on different fronts. For starters, UA strings have been used by online advertisers as a way to track and fingerprint website visitors. "On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites) , and sites (including Google properties) being broken in some browsers for no good reason," said Yoav Weiss, a Google engineer working on the Chrome browser.
To address these issues, Google said it plans to phase out the importance of UA strings in Chrome by freezing the standard as a whole. Google's plan is to stop updating Chrome's UA component with new strings (the UA string text that Chrome shares with websites). The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.
To address these issues, Google said it plans to phase out the importance of UA strings in Chrome by freezing the standard as a whole. Google's plan is to stop updating Chrome's UA component with new strings (the UA string text that Chrome shares with websites). The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.
How many Broken Enterprise Apps? (Score:1)
I can see a lot of "Enterprise" Apps being broken, because they were designed to read the UA strings, even if they didn't do anything with them, the fact that they are looking to read it could cause problems. Probably as a security feature to make sure those crazy guys who use to telent to port 80 were stopped.
Re: (1)
From the summary
> The long-term plan is to unify all Chrome UA strings into generic values that don't reveal too much information about a user. This means that new Chrome browser releases on new platforms such as new smartphone models or new OS releases will use a generic UA string, rather than one that's customised for that specific platform.
Re: (2)
With a standardized UA string, that will be used by other applications, that goes away.
Re: (2)
And with the move to silent updates all of the time by everything, the default assumption of "most current version" is likely now a good one, further reducing the need for a UA string.
Whether or not software being able to phone home and keep itself updated at all times is a good thing is an entirely different question.
Re: (2)
And your assumption things keep updated
Re: (2)
>"And your assumption things keep updated is simply wrong, for phones. "
Not just for phones. For some environments, it is extremely difficult to roll out a new browser version (especially a major one) without tons of time testing, configuring, customizing, training, etc. So not everyone can do "automatic" version updates, or certainly not at the ideal speed. It could take weeks or months. It is exactly the reason that Mozilla offers Firefox ESR, for example.
It is bad to assume (from a web server prog
Re: (3)
* Pre-emptively delivering optimised content which is a huge market (same content, different format). * Determining which range of browsers to support through popularity. * Security, which ironically is a double edged sword, IE, you can detect vulnerable versions for good or bad. * Content negotiation based on audience which similar to security can be used for good or bad (diffe
Re: (2)
Re: (2)
Welcome to slashdot. Please press the "quote" button and observe the tags it generates, and use those tags for quoting.
Talk about less different things in a post. That way it makes more sense to reply. When you upload your entire thought process and include the asides, it makes it hard to respond in a constructive way.
The whole thing is simple. When they say, "UA strings have been used by online advertisers as a way to track and fingerprint website visitors." What they actually mean is, they're one of the p
Re: (2)
I'm sorry, but I know a little bit about UA, as most developers do. I am genuinely interested in how you come up with this stuff.
> How many websites depend on the user agent for device detection? Literally millions. It's used significantly for things such as:
Since they can be faked, they aren't any different than query strings except now you have a wholly different code chain to verify the text in a header.
> * Pre-emptively delivering optimised content which is a huge market (same content, different f
Re: (2)
Determining which range of browsers to support through popularity.
How does that work when I used Opera from 2003 to 2010, and edited the string to reflect a modern version of IE, to avoid the "your browser is not supported" messages that simply ban browsers for being untested (which should have gotten everyone fired, assume they are IE compatible and build for IE, but don't enforce the rules by banning perfectly good browsers).
But in using a more secure and faster browser, I also added to the IE statistics. Too bad there wasn't an "I'm lying" tag to add to the string, s
Re: How many Broken Enterprise Apps? (2)
Flash was removed because it crushes battery life and because nothing of value was ever made in Flash. There was a very compelling reason to remove it, and no reason not to.
Re: (2)
>"Flash was removed because it crushes battery life "
And was replaced with stupid, unnecessary, never-ending animations and auto-play video. Which, unsurprisingly, crushes battery life (in addition to being extremely irritating).
Re: (3)
Zero.
The summary says they're going to freeze the string associated with the user agent field, not remove it entirely.
I love it (Score:3)
but how will they charge extra? (3)
Re: (2)
Re: but how will they charge extra? (1)
Re: (3)
What's wrong with that?
I'm free to open two stores selling identical items, but the one in the low income area charges less per item than the one in the wealthy neighborhood just because poor folks don't have the money to give me higher profit margins. This is true even if the store in the wealthy neighborhood costs less to run because of reduced security requirements. If a business can segment markets for maximum profit based on physical location (either store location or customer IP address), why not base
Re: (3)
Re: (2)
You, of course, didn't bother to read my entire post and reacted with a knee-jerk response.
Read the parenthetical part of the last paragraph of my post you responded to (not including my sig) and get back to us.
Re: (2)
Re: (2)
Re: (2)
You are assuming websites dont take steps to fingerprint, track, or identify your browser in other ways. For mobile devices screen resolution or size might be a thought?
Sure, but this will massively, MASSIVELY reduce the size of your browser fingerprint.
They can't do it soon enough, IMHO. All a browser really needs to know is "mouse" or "touch screen". There's no need to know my OS version or anything like that.
Re: (1)
Interesting (Score:1)
I hope that spiders will continue to identify themselves as such.
Who can forget the "Borked" version of Opera? (Score:1)
Well, that's going to make life difficult for NAC (Score:2)
Most colleges that do NAC have a self-registration system that uses a captive portal
to download an agent application to users the first time they connect to the network.
In most cases this just checks that their system is patched and AV protected before
letting them on the network.
The application offered to the user, and the backend behavior, vary based on what
OS the user is using. Sometimes this involves bug workarounds for very specific
versions of OSes. Barring an overly complex setup where client traffic
Re: (3)
"Hello Student. To get access to University of Foo's internal network you have to install our security app.
If you are using a Windows PC, click _here_
If you are using a Macintosh, click _here_"
I just solved your problem, that'll be a $10k consultancy fee.
Re: (2)
Don't listen to him. I'll do it for $9500. He's overcharging.
Re: (2)
I'd imagine a few non-technical users don't even know whether they are using a Windows PC, a Mac, or a Chromebook. Where would they click?
Re: (3)
Re: (2, Funny)
stupid crap
The "stupid crap" is actually found on the other end of this particular scheme.
Re: Well, that's going to make life difficult for (2)
And a bit more difficult for everybody. Usually, when I go to download software I automatically get the right version for my OS. I'll get an MSI on Windows, a DMG on OSX, or a deb/tgz on Linux. While it's not the worst thing in the world to have to choose that, it is one step backwards.
Google is a terrible offender themselves. (Score:5, Interesting)
Alternative headline: "Google finds alternative way to ID you in their system, deprecating old methods that are easy to fake".
I have a Firefox plugin that rotates my UA through recent versions of FF and Windows 8, 10 & Mac OS X. Google's sites are almost always guaranteed to fail.
Despite having 2FA, google has blocked me from logging in because "Something is suspicious". I'm claiming I'm on Firefox ~68 on Windows, nothing more.
Twitter complains 'something is suspicious' if you don't keep using the same user agent, but will still let you use the site. Nothing else fails, but Google won't let you log in.
Hell, getting around curl or requsets working 90% of the time is shoving a 'legitimate' browser in there.
Another Alternative (Score:5, Insightful)
Google disables user agent strings, encourages web sites to assume everyone is using Chrome and default to a chrome-optimized site.
Re: (2)
Or worse, web sites switch to Javascript based browser identification. If you have JS disabled for the site, too bad, enjoy the generic desktop version or the version for Lynx.
Actually, the second default wouldn't be so bad for a lot of sites.
Re: (2)
>"Google disables user agent strings, encourages web sites to assume everyone is using Chrome and default to a chrome-optimized site."
I have no mod points, and was searching for this exact response. If anyone thinks Google is going this is going to help anyone but Google, they are probably mistaken. This is more likely a move to start to try and make all major browsers that are not Chrome but based on Chrom* look like Chrome; further solidifying their grip against the only two that are not Chom* (Firef
Re: (2)
I have a Firefox plugin that rotates my UA through recent versions of FF and Windows 8, 10 & Mac OS X. Google's sites are almost always guaranteed to fail.
Despite having 2FA, google has blocked me from logging in because "Something is suspicious". I'm claiming I'm on Firefox ~68 on Windows, nothing more.
My guess is that the culprit is ML. I don't know anything about the system used for detecting malicious/abusive traffic, but it wouldn't surprise me at all if it incorporates some machine learning algorithm these days, and your rotating UA makes you a strange outlier that it triggers on as suspicious. Or maybe not. Maybe there is some attack that relies on, or inadvertently uses, rotating UA strings so it could also be a human-written rule. But I'd bet on ML.
I think getting rid of UAs is a better solu
Re: Google is a terrible offender themselves. (2)
That's dumb, though. The cookies identify the session. The server identifies the user with that session.
There's no logical reason to assume a UA switch is a new user, or even a new browser. Many (most?) browsers let you change it on the fly. And major browsers let you export/import cookies.
Not to mention using dumped cookies for debugging with curl or whatnot (though in these cases you can spoof the UA).
Re: (2)
1. It won't ever let me log in to the point of 'seeing' a rotating UA.
2. If I give you my password and my 2FA you let me in. My user agent is not any part of authentication. God forbid I have a lot of devices.
But I have a suspicion that it's more than that. They do let you log in with the native UA. So they must have some additional way of detecting I'm not actually using Firefox 68 on Windows 10. It's not a sophisticated plugin, but only Google has ever had an issue with it.
Re: (2)
If I give you my password and my 2FA you let me in
Not necessarily. Particularly if it's an SMS-based 2FA, but even with more reliable 2FA systems, attackers can and do get hold of them. Google is actually extremely successful at accurately diagnosing out-of-pattern behavior that indicates attacks in progress and shutting them down, with very few false positives. I'm not sure what it is about your setup that causes the false positives. I wonder if it's not just the UA, though. Are you sure that it's the plugin that triggers the issue? And if so, are yo
Its a total CROCK of poo (Score:2)
I'm all for it (Score:3)
Now it would be great if Google Chrome on Android also stopped sending the device name as part of a UA string. This is the reason I generally avoid this web browser.
And now while we are at it, it would be great if all web browsers stopped sending your GPU Vendor and ID as part of WebGL [browserleaks.com] Renderer Info (Unmasked Vendor and Unmasked Renderer).
Then it would be great if plugins [browserleaks.com] and installed fonts and were hidden by default and a hundred if not more various metrics which uniquely identify you.
That will still leave canvas and WebGL fingerprinting, JS timing attacks, audio recording processing attacks but we should start we something, shouldn't we?
Gee, Google probably thinks ... (Score:2)
... we own the engine that most browsers use now... why would anyone need to distinguish between different browsers?
Sounds like something a wannabee monopolist would do.
Re: (2)
Re: Hopefully this will destroy all mobile website (2)
The only time mobile sites are any good is when they precede the desktop site and mobile app.
What can possibly go wrong with this? (Score:3)
If Chrome implements this, chrome users may find themselves blocked from visiting quite a large number of websites.
And those users will probably switch to a different browser long before the website changes to accomodate no user-agent string.
Re: (2)
If Chrome implements this, chrome users may find themselves blocked from visiting quite a large number of websites.
Isn't that proof of many poorly authored websites?
Re:What can possibly go wrong with this? (Score:4, Insightful)
Of course, but that doesn't mean that the chrome users will not be switching browsers when chrome stops working for them.
The fact that it might be the website's fault is irrelevant.
Re: (2)
OK, let's break this down a little.
1. Why do you think most web sites would suddenly block the majority of their users? Chrome is the majority web browser right now.
2. Why do you think they would be upset about not being able to find out what version of Chrome Chrome users are running (which, as the summary states, is the ONLY thing Google is saying it wants to do), and would be so upset about this largely trivial piece of information that they'd start punishing Chrome users for it, again those people m
Re: (2)
Re: (2)
So what do they do now? Do you think that every time Chrome releases a new version, every webmaster in the country immediately updates a database of "valid Chrome releases"? Why are their web sites going to fail because a newer Chrome is identifying itself with the same UA string as the older version?
Previously I
Re: (2)
If Chrome implements this, chrome users may find themselves blocked from visiting quite a large number of websites.
Those websites would have a pretty strong financial incentive to update their code. Considering that they loose the majority of their visitors.
Google wants to own the Web (Score:2, Insightful)
Actually read the article, and more (Score:5, Informative)
Re: (2)
"User agents SHOULD deprecate the User-Agent header in favor of the Client Hints model described in this document."
Re: (2)
What set of Client Hints is Chrome going to use? Neither ZDNet nor the Chromium link they have seems to say so.
Related note: While looking for this, I discovered that Google is touting how they're going to disable third-party cookies [chromium.org] to make the web more "private." This is a little rich, considering that Google Analytics uses first-party cookies.
Re: (3)
Dude, you're expecting too much. Not only are the readers here not going to read an article linked to by the article, or the article itself, but the vast, vast, majority are commenting without even reading the summary.
This entire comments section is a shitfest and most of the comments should be modded Off Topic.
And for mods who think I'm trolling, ask yourself how relevant most of the comments are here given 90% are under the impression a field (that's rarely used for anything but logging anyway) is go
Google's obvious plan (Score:2)
They just want to prevent users from clicking that user-friendly, non-ad-friendly "Desktop site" button in Chrome for Android. They probably noticed that about 90% Chrome's traffic (my number) in mobile phones is clicking news articles shared from another app (usually to a media outlet or blog - types of pages which mostly rely on mobile versions to be extra-heavy on popup and page-blocking ads). A lot of people insta-switch to Desktop Site to see a less cluttered, sometimes even non-paywalled or "sign-in-w
Allow me to rephrase: More Ads for EVERYONE! (Score:2)
1. Serve more ads more ruthlessly with zero considerations for "view-ability" of an ad (so advertisers pay more but with fewer guarantees of impression quality).
2. Not just break some sites but rather, break all sites by being more careless for feature compatibility considerations (beyond just adverts but wholesale features which are implemented differently across browsers and devices).
3. Trying to develop a "long-game" to hopefully crush Mozilla Firefox by
so website should just assume then? (Score:1)
If the app devs can't adjust for it, won't there be cases where it looks broken or it just doesn't work?
I'm surprised the OP didn't say anything about the replacement.
It's like they can just reject anything they don't like without thought of the implications.
No, the standard should make it clear (3)
User agents are basically a hack that allows browser developers and standards committees to be lazy and sloppy. There shouldn't be differences in behavior between browsers. That's the point of having a standard to begin with. If the standard says what to do and the browser developer doesn't do it, that's a bug in the browser's impleme
Devil's advocate (3)
So yeah, it makes sense to be cautious of Google saying this in particular, even if they're right in theory.
Re: (2)
>"I'll play both sides here because a good counter-argument to myself just occurred to me. While ideally, things should work the way I outlined above, Google being in a market-dominant position has no incentive to actually abide by the specification."
LOL- I did the exact same thing in a posting 30 minutes ago, before I saw yours. I hate UA and what horrible things were done with it. But GOOGLE isn't necessarily doing it for the right reasons at all.
So +1 Insightful to you with my imaginary mod points.
Re: (2)
Capability testing is the alternative and it has been a best practice for a long time - even though adoption has been poor. Try to create an object and then use proper error-handling to fall back to another standard.
What good is UA sniffing if you can't possibly keep track of all the derivatives? It relies on knowing every permutation rather than checking for what you need.
Re: (2)
Different browsers handle HTML differently on different platforms.
If the app devs can't adjust for it, won't there be cases where it looks broken or it just doesn't work?
Why should millions of websites write specific code to cater to lazy / shitty devs that don't don't write a browser to conform to well defined specs? Write the site to HTML / CSS specs and if it doesn't work in a specific browser, make the damn browser devs fix their shit. This goes for Google too, if Chrome isn't rendering the spec properly the sites can tell the users to bitch at the devs ( bonus points for linking to the Chrome feedback area ).
If the websites have to code around broken shit for every bro
Comment (Score:2)
So in the near future, anything claiming to be Chrome is not, because Chrome no longer identifies itself. This reminds me of the old joke about chat rooms: All the women are (police)men, and all that.
Re: (3)
Hint: You can fake any UA string you like. You've been able to do it since browsers first included one.
And, beyond that, almost all browsers are Chromium based anyway - even Edge as of next week.
We'll phase out using Chrome (Score:1)
Re: (2)
No, it isn't. There are pretty much no sites that are going to be broken just because Google will sent websites the same UA string in 2021 for version 93 of Chrome as it'll send in 2023 for version 127.
Of course, if you really value your privacy, you'll install one of those Firefox plugins that rotates the UA strin
Haven't parsed UA strings in a while (Score:2)
And, when I did, it was always to detect Internet Explorer and attempt to work around it's deficiencies. So I can't see that this change will matter much to us.
Re: (2)
>"And, when I did, it was always to detect Internet Explorer and attempt to work around it's deficiencies. So I can't see that this change will matter much to us."
It will if sites stop caring which browser the client is using *AND* they program it to be only Chom* compliant (using "enhancements" that Google has added, just like IE did) instead of standards compliant. At that point, the "web" will break for anyone using the only two major browsers left- Firefox and Safari.
Stupid, stupid, stupid (Score:1)
Google is hell-bent on breaking how the web works and reconstituting it to suit their goals: unavoidable user tracking that seems harmless mainly because they're doing it, and they're abusing their market positions/dominance to make it happen.
This is on par with stripping down the browser UI (and progress-shaming every other browser to follow suit), AMP, and the flawed assumptions in progressive web app manifests. UA strings have their issues, and the abuse of them began with Microsoft (IE claiming to be N
Re: (2)
There is almost no downside whatsoever to Google doing this. Leaving aside the fact they're not getting rid of the UA, just freezing it for Chrome browsers, the UA has very little legitimate uses. It's used for browser finger printing (bad), blocking browsers some executive thinks people shouldn't be using (extremely bad), and, very, very, very, rarely is used to create a workaround for a specific browser, that almost can be achieved by some other means.
Even Google have misused it, once using the fact a
Re: (2)
Why is it that when Google says the right things, promoting good stuff that doesn't help it achieve anything negative at all, whether it's this or DoH or half a dozen other things, people here lose their minds?
Because that never actually happens. People are rightly waiting for the other shoe to drop so that Google's real intentions become apparent. Do Know Evil and all that.
Re: (2)
UA strings no longer have their uses. It's been used for literal decades as a way to lock out Chrome users from sites that would otherwise work just fine. Nobody should use UA-sniffing for determining capabilities - it relies on each site keeping track of a massive list permutations of rendering engines and their derivatives.
Minority browser (Score:2)
So in reality, Google did this to themselves by blocking those same minority brows
Web browsers should not define standards (Score:2)
UA is good for debugging (Score:2)
Re: UA is good for debugging (1)
Re: (2)
Re: (2)
This is one of the rare legitimate reasons for needing it (not that I necessarily think metrics/analytics are bad either, but I know there are privacy issues.) Ultimately though the UA is becoming less reliable, with browser makers constantly threatening, and sometimes actually implementing, UAs based upon other browser's UAs.
For mobile vs desktop, it's relatively easy to detect that in software. Over time I think we need a better approach in general.
Malware uses User-Agent (Score:2)
I've seen a number of spam emails which contain links to a redirection site that checks User-Agent and/or HTTP-Accept.
It only redirects to the malicious content if it likes what it sees in User-Agent and HTTP-Accept. Otherwise, it just redirects to google.com or yahoo.com or some such. Just playing with the User-Agent and Accept strings with curl, I can get one behavior or the other.
Re: (2)
That is true... and you can bet the Malware are still going to fingerprint the browser;
this change is just going to force the malware to adapt and do something more obscure that will be much harder to analyze.
Re: (2)
And one today that returns the Apache "you haven't built a web site yet" page unless the user agent matches the intended target.