Closed Bug 71569 Opened 24 years ago Closed 9 years ago

[META] User-Agent string tracking bug

Categories

(Core :: Networking: HTTP, defect, P5)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Future

People

(Reporter: dbaron, Assigned: dbaron)

References

(
URL
)

Details

(Keywords: meta) 

This is a tracking bug to track issues related to the User-Agent string,
which is sent via HTTP and also accessible through JS through the
|navigator| object.

The current UA-string spec is at
http://mozilla.org/build/revised-user-agent-strings.html

The current UA-string code is in
http://lxr.mozilla.org/mozilla/ident?i=InitUserAgentComponents

Navigator object code lives in
(old)http://lxr.mozilla.org/mozilla/source/dom/public/idl/base/Navigator.idl
(new)http://lxr.mozilla.org/mozilla/source/dom/public/idl/base/nsIDOMNavigator.idl
http://lxr.mozilla.org/mozilla/ident?i=NavigatorImpl
Status: NEW → ASSIGNED
Keywords: meta
Priority: -- → P5
Target Milestone: --- → Future
For quick-ref info: UI to override U-A string in bug 46029; UI to edit all prefs
in bug 17199.

When the user agent spec was originally hammered out in the .netlib group the 
PrereleaseVersion consisted of a unique(ish) searchable token followed by the 
actual version. Otherwise it can be quite difficult to pull this version out of 
the middle of the comment string in theory given the optional and potentially 
suppressed (localization and CPU) bits in the future.  Ekrock suggested "prv:" 
(pre-release version) as it'd be pretty nearly unique.

I don't think we'll ever be able to change Mozilla/5.0 to anything else. We 
can't bump it back to match the actual Mozilla version (conflicts with old 
Navigators) and we know that at least some sites are looking for 5.0 
specifically and might be thrown by a more specific version. We could leave a 
permanent "5.0" just as IE 5 remains "Mozilla/4.0 (compatible" with the real 
version later in the string.

Given that, a searchable marker token is even more important. I suggest a 
slight change from ekrock's suggestion, "mrv:" for Mozilla release version. It 
doesn't really matter what it is though, as long as it's something unique 
that's highly unlikely to appear elsewhere in the user agent; the mnemonic 
value of something like mrv: is better than something completely random.

The Gecko comment section was removed long ago, but it might actually have 
important value for branded versions like Netscape. When Netscape shipped 6.0 
the user Agent contained "Gecko/20001108". That was a lie, though, it was not 
based on a November Gecko, it was based on Gecko/20000922 -- 11/08 was merely 
the build date. The 6.01 user agent was even more wrong.

We're not going to stop people like Netscape from wanting to embed their build 
date in the user-agent string, but we should push that when we go on a branch 
that the Gecko date be the real Gecko date, and the build date be elsewhere. We 
could raise a stink and make Netscape put that in their own Vendor comment, but 
in fact mozilla.org has a similar problem since technically they ship milestone 
builds off a short branch. The mozilla.org branches are so small that no one is 
likely to care, but it is technically the wrong Gecko date in the user agent, 
and if we come up with a generic mechanism that mozilla.org uses (the Gecko 
comment?) then it'll be that much easier to get commercial vendors to do the 
right thing.

Of course this completely conflicts with the desire to keep the user agent 
short.
Rather than a Gecko comment to indicate branch-ness it could also be done 
fairly easily as a subversion. Netscape 6.0 branched from 20000922 and shipped 
on 20001108 so the Gecko version could be 20000922.47 (build date 47 days after 
the branch), or perhaps to make the math easier 20000922.186 (922+186 = 1108, 
the real build date).

If people are going to want to do math with the version as a whole to determine 
which version is larger then we could also consider zero-padded variants of the 
above. Three digits (enough for almost three years) might be sufficient in the 
first case, but the second case would really require five because I can easily 
imagine a stable branch lasting more than a year, all four digits would give 
us. Visually the first two examples would thurn into  20000922.047 and 
20000922.00186 -- a bit bulky, especially considering how short most milestone 
branches are and how rare long-lived branches.
This is a tracking bug.
(What I meant by my previous comment was that if you actually want me (or
someone else :-) to do something about these issues, they would be better
off in a separate bug, since I wasn't planning to look at this bug except
when I wanted to find / track user-agent issues.)
Depends on: 150351
Adding the following bugs to this tracking bug.

Bug 46029 - [RFE] debug-only GUI for multiple User-Agent prefs like in Opera
Bug 65764 - New mozilla user-agent string
Bug 80658 - [RFE] Site specifig User-Agent
Bug 92716 - Need way to completely disable user-agent header
Bug 102042 - Separate the useragent used by http from the real one seen by plug-ins
Bug 115773 - navigator.appVersion doesn't change when spoofing useragent
Bug 129038 - mozilla has "U;" in useragent when PSM is not installed

Apologies if these do not belong, or if I added them incorrectly
Depends on: 46029, 65764, 80658, 92716, 102042, 115773, 129038
Depends on: 168778
Adding [META] to summary.
Summary: User-Agent string tracking bug → [META] User-Agent string tracking bug
Depends on: 83376
QA Contact: tever → networking.http
The EFF has a nice site that shows how unique a user-agent string is:
http://panopticlick.eff.org/

Please take privacy seriously.
http://www.theregister.co.uk/2010/05/17/browser_fingerprint/

Ran test on http://panopticlick.eff.org/ to find out my browser leaves a unique
fingerprint in 900,000+ samples they have received so far.
(In reply to comment #9)
> http://www.theregister.co.uk/2010/05/17/browser_fingerprint/
> 
> Ran test on http://panopticlick.eff.org/ to find out my browser leaves a unique
> fingerprint in 900,000+ samples they have received so far.

Yes, but what does that fingerprint say about you? I took the same test, and it said that I'm using the SeaMonkey 2.1a1pre nightly for Linux dated 2010-05-10 (like one browser in 511,477), that I have a certain combination of HTTP_ACCEPT values, a certain combination of installed plugins and a certain combination of installed fonts (each of the three separately like exactly one browser in 1,022,954) and that the rest of my identifying data isn't particularly newsworthy (between one in 1.22 for cookies, which I had set at "allow for session", and one in 37.53 for screen size and color depth). So what? My user-agent string, even though pretty uncommon, is not even the most "unique" thing about me (and in normal circumstances it changes every day, except that at the moment I'm waiting for the new addons manager UI to stabilize); and I'm not sure how useful it is to broadcast my installed fonts and plugins all over the web, but I have other things to worry about.
P.S. I took it again with the standard version of Konqueror which comes with openSUSE 11.2, and that site hadn't even seen its user-agent string yet, not to mention the rest. I guess if you really want to look anonymous, get the second-latest Micro$oft OS (Vista, at the moment), don't set any user preferences, and in that case you'll probably look "just anyone".
(In reply to comment #11)
> P.S. I took it again with the standard version of Konqueror which comes with
> openSUSE 11.2, and that site hadn't even seen its user-agent string yet, not to
> mention the rest. I guess if you really want to look anonymous, get the
> second-latest Micro$oft OS (Vista, at the moment), don't set any user
> preferences, and in that case you'll probably look "just anyone".

But if you do any Security updates the second-latest Micro$oft OS, you will have a unique fingerprint. 

Therefore even if your ISP changes the IP address, frequently, a site will still be able to fingerprint you (even after deleting cookies etc.).

Their paper: http://panopticlick.eff.org/browser-uniqueness.pdf

states:

"The obvious solution to this problem would be to make the version numbers
less precise. Why report Java 1.6.0 17 rather than just Java 1.6, or DivX Web
Player 1.4.0.233 rather than just DivX Web Player 1.4?"
Edit: Typos/Grammar

(In reply to comment #11)
> P.S. I took it again with the standard version of Konqueror which comes with
> openSUSE 11.2, and that site hadn't even seen its user-agent string yet, not to
> mention the rest. I guess if you really want to look anonymous, get the
> second-latest Micro$oft OS (Vista, at the moment), don't set any user
> preferences, and in that case you'll probably look "just anyone".

But if you do any Security updates to your second-latest Micro$oft OS, you will
get a unique fingerprint. 

Even if your ISP changes the IP address, frequently, a site will
still be able to fingerprint you (even after deleting cookies etc.).

Their paper: http://panopticlick.eff.org/browser-uniqueness.pdf

states:

"The obvious solution to this problem would be to make the version numbers
less precise. Why report Java 1.6.0 17 rather than just Java 1.6, or DivX Web
Player 1.4.0.233 rather than just DivX Web Player 1.4?"
Depends on: 567679
Depends on: 577994
No longer depends on: 577994
Depends on: 625238
No longer depends on: 55366
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Depends on: 1520419
You need to log in before you can comment on or make changes to this bug.