Improving the Privacy with Generic Browser User-Agent Strings

As most of you already know, browsers can be fingerprinted easily using various information they leak. https://panopticlick.eff.org/index.php?action=log&js=yes and http://fingerprint.pet-portal.eu/?lang=en are examples of tests that reveal some of this information.

One important source of fingerprinting information is the browser's user-agent string, which often includes the exact version number of the browser and rendering engine, operating system version, processor's instruction set and sometimes even the language setting! Examples of various user-agent strings can be found here. Most of this information is completely irrelevant to the website, and is just used as a fingerprinting tool.

My proposal is to adopt a generic user-agent strings, which would tell the basic information (such as a rendering engine and the browser's name) to the website to ensure compatibility, while still being as generic as possible. For example, instead of: "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" why not use: "Mozilla/5.0 Gecko Firefox"? (I'm aware that this might break some websites, and in that case an extension to allow per-site settings could be used.)

Note: fighting against fingerprinting requires that as many users as possible use the same user-agent string, therefore it doesn't help if everyone creates their own "cool" user-agent. That's why we need to standardize on this and spread the message to gain more support.

While we could request this functionality from browser manufacturers, it is unlikely that most of them would support it. Luckily changing the user-agent string is quite easy with most browsers. In the next post I will cover some of the most popular browsers and propose generic user-agent strings for them, together with the instructions for making the change.

Please provide a feedback and suggestions (for example, if some sites stop working after changing the user-agent) and spread the idea When more users adopt this proposal, everybody's privacy will be improved.

 

Firefox and derivatives (Seamonkey/Iceweasel/etc.)

Example of the current user-agent string: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

The proposal for the generic user-agent: Mozilla/5.0 Gecko Firefox
- Both the rendering engine and the "Firefox" are including just in case. Note, you should use Firefox even if your browser is called something else (Seamonkey/etc.) because they are all using the same rendering engine.

Changing the user-agent:
Easy through about:config, just add the following fields:

Code:

general.useragent.enable_overrides => 1
general.useragent.override => Mozilla/5.0 Gecko Firefox 

There are also plenty of add-ons that accomplish the same.


Chrome and other KHTML browsers (Chromium/Safari/Konqueror/etc.)

Example of the current user-agent string: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36

The proposal for the generic user-agent: Mozilla/5.0 AppleWebKit (KHTML, like Gecko) Chrome Safari
- Here we include both the "Chrome" and "Safari" to improve compatibility. I'm aware that Konqueror doesn't use "AppleWebKit", but this shouldn't cause problems, especially since it's extremely unlikely that websites would match the user-agent string against "Konqueror".

Changing the user-agent:
Chrome doesn't support user-agent changing directly, but there are various extensions for this.
https://chrome.google.com/webstore/detail/ultimate-user-agent-switc/ljfpjnehmoiabkefmnjegmpdddgcdnpo seems to be a good one and it also allows per-site settings. Just go to options and add a custom string with a flag and name of your choice and put: "Mozilla/5.0 AppleWebKit (KHTML, like Gecko) Chrome Safari" as the "User Agent string". Then click on the extension button, select "Active Now!!" and select your custom user-agent that you just entered.


Opera (older versions based on Presto engine)

Example of the current user-agent string: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14

The proposal for the generic user-agent: Opera/9.80 Presto
- The rendering engine is included just in case someone wants to match against it.

Changing the user-agent:
Easy through about:config, just add/modify the following fields (tested on Opera 12.xx):

Code:

Spoof UserAgent ID => 1
Custom User-Agent => Opera/9.80 Presto

Internet Explorer

Here things get complicated. In theory, IE's user-agent can be changed through registry hacks: http://msdn.microsoft.com/en-us/library/ms537503.aspx . However, feature and trident tokens can't be changed, and they will reveal the major version number of IE anyway.

IE also leaks the exact version numbers of various Windows components such as .NET framework and Media player. While these can be removed by deleting registry keys, it might break some Windows functionality. For now I can give the following good advice: avoid IE at all costs

 

I'm sorry but those are bad recommendations privacy-wise. Those user agents make your browser more unique and, thus, identifiable as nobody else is using them. You can easily confirm that on, e.g., https://panopticlick.eff.org/

 

The whole point of the proposal is to make others to use it.

Considering how much unique information default user-agents provide, privacy would be greatly improved even if just some people would adopt generic user-agents.

 

I agree. The too-short, generic string proposed in the post above would be a longtail standout.
What's a good, common, as-seen-in-the-wild string to use?
Sadly, the PDF linked at the eff.org site is undated.
http://techblog.willshouse.com/2012/01/03/most-common-user-agents/
^--- might choose one of these (or choose to rotate thru using several of 'em)...

...but I believe that doing so would be a misguided step toward achieving anonymity.
Nowadays, the web scripts powering many sites are so "sophisticated" (cough, convoluted, fandangled)
that css stylesheets are delivered conditionally, based on the result from sniffing the requestor's user-agent.
With mobile, and tablets, AND various desktop resolutions... yeah, from a webdev POV, agent sniffing has become a necessity.

 

Yes, but it's unrealistic to expect that even a minority of users will implement that.

A better strategy is to disappear into the crowd by using a wide-spread user agent as mentioned by inka.

 

What about using Dephormation?
"Secret Agent Continuously Randomizes your Firefox/SeaMonkey HTTP User Agent, to Suppress Device Fingerprinting, and Resist Web Tracking."

https://www.dephormation.org.uk/?page=81

 

I'm currently trying the add-on HTTP User Agent Cleaner for Firefox.

 

I agree that it is difficult, but I believe there are plenty privacy-minded people on this forum. We need to start somewhere

The problem is that there "wide-spread" user agent don't really exist. We have multiple rendering engines, multiple browsers based on the same engine (Chrome, Chromium, Safari, etc.), multiple types of operating systems, multiple OS versions and processor architectures (browser running on a 32-bit Windows 7 will have a different user-agent from the exactly same browser running on the 64-bit Windows 7).

Faking the rendering engine (e.g. must popular browser is Chrome, but you would still want to use Firefox) would break more websites that just using a generic user-agent. Chrome and Firefox have a very rapid release schedule, which creates another problem since not everybody updates the browser immediately.

A big advantage of this proposal is that you just set the user-agent once, and then you don't need to worry about new browser versions and changes of browser or OS popularity.

 

Well, out of the billions of Internet users, even if everyone on Wilders used a string, we'd still be unique'ish. I think a better bet, would be for us to post what string we are using, and what our Panopticlick "score" is.

NoScript blocking all, std FF profile. I believe starting with a JonDoeNym profile would lower that a little bit, but I haven't tried that yet.

 

Just adding the UserAgent Switcher extension, I now get this:

Using this pre-set:

 

My Panopticlick score is around one in 2,000,000 with scripting allowed, and around 1 in 8,000 with scripting not allowed. "System Fonts" is the big difference between the two on my system - around 1 in 300,000 for that item. My standard "User Agent" item alone is around 1 in 500 - not a big deal.

 

That's why Wilders should be just a starting point and we need to propagate this idea further.

Panopticlick is a good tool, but it is also biased, since it is more likely to be used by people who care about their privacy and security. In reality, there are much more users of IE and older Chrome/Firefox versions than Panopticlick can show.

 

See "Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting"

 

Thanks, that's an interesting paper. Basically they are using javascript capabilities to determine the exact browser version. However, this technique can't reveal the OS, processor architecture or other details, therefore generic user-agents have still their place.

Going forward, it would be good if major browser would just adhere to standards instead of creating their own extension and functionality, then the mentioned technique wouldn't work anymore.

 

I took an entire day to chase the "fingerprint" tail. Best I could get was 1 in 3,000...which is good enough for me. Out of billions, I think it is pretty good. User Agent Switcher, Secret Agent, NoScript, seem to be the biggest helpers. I tried adding FireGloves, and *did* get it down to 1 in 800 a few times, but the results were flaky...the next few tries gave me 1 in 2 Million, or "Unique". Consistent 1 in 3,000 is what I settled on, and I'm done

 

Unfortunately, that's not correct. Just for fun, I've changed my user agent to

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Now, if I go to http://browserspy.dk/os.php with JS disabled it says:

However, if JS is enabled it reports:

It's true that this site couldn't read my CPU details, but it could detect, e.g., my browser plugins.

 

Looks like a default Ubuntu install with Chrome is perfectly unique. No need to screw around with useragents

 

elapsed, I'm afraid that's a misinterpretation: You do NOT want to be unique! In other words: The higher that number, the worse.

 

Within our dataset of several million visitors, only one in 299 browsers have the same
fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 8.22 bits of
identifying information.

Using Firefox browser with javascript disabled and no addons.

From what I understand from the Panopticlick test you DON'T want to have results saying "UNIQUE" and
NOT have a fingerprint that conveys a LARGE bits number of identifying info.

 

This page: http://browserspy.dk/browser.php has more information.

Following overrides work in Firefox to remove some OS/platform leaks:

Code:

general.appversion.override  => 5.0
general.oscpu.override =>  (leave this empty)

However is there a way to override navigator.platform? navigator.platform.override doesn't work anymore.

 

There's no use of modifying user-agent if your plugins and extensions are exposed. Fingerprinting is about combining all details of your browser. Changin' one paricular element makes sense only if it fits with other elements in a way that represents common pattern.

The only real masking would be if we could fake extensions IDs + user agent so it fits most common browser setups.

 

I agree that modifying the user-agent is not enough by itself to prevent fingerprinting. However, it leaks a lot of information and changing it is easy, therefore it's a low-hanging fruit that definitely should be used.

Extensions like Firegloves for Firefox prevent plugin and font enumeration.

 

Imagine solving the Rubik Cube. One or two moves makes just another combination of colors.