Improving the Privacy with Generic Browser User-Agent Strings

Discussion in 'privacy technology' started by Larm, Jan 9, 2014.

Thread Status:
Not open for further replies.
  1. Larm

    Larm Registered Member

    Joined:
    Jan 9, 2014
    Posts:
    10
    As most of you already know, browsers can be fingerprinted easily using various information they leak. https://panopticlick.eff.org/index.php?action=log&js=yes and http://fingerprint.pet-portal.eu/?lang=en are examples of tests that reveal some of this information.

    One important source of fingerprinting information is the browser's user-agent string, which often includes the exact version number of the browser and rendering engine, operating system version, processor's instruction set and sometimes even the language setting! Examples of various user-agent strings can be found here. Most of this information is completely irrelevant to the website, and is just used as a fingerprinting tool.

    My proposal is to adopt a generic user-agent strings, which would tell the basic information (such as a rendering engine and the browser's name) to the website to ensure compatibility, while still being as generic as possible. For example, instead of: "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" why not use: "Mozilla/5.0 Gecko Firefox"? (I'm aware that this might break some websites, and in that case an extension to allow per-site settings could be used.)

    Note: fighting against fingerprinting requires that as many users as possible use the same user-agent string, therefore it doesn't help if everyone creates their own "cool" user-agent. That's why we need to standardize on this and spread the message to gain more support.

    While we could request this functionality from browser manufacturers, it is unlikely that most of them would support it. Luckily changing the user-agent string is quite easy with most browsers. In the next post I will cover some of the most popular browsers and propose generic user-agent strings for them, together with the instructions for making the change.

    Please provide a feedback and suggestions (for example, if some sites stop working after changing the user-agent) and spread the idea :) When more users adopt this proposal, everybody's privacy will be improved.
     
  2. Larm

    Larm Registered Member

    Joined:
    Jan 9, 2014
    Posts:
    10
    Firefox and derivatives (Seamonkey/Iceweasel/etc.)

    Example of the current user-agent string: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

    The proposal for the generic user-agent: Mozilla/5.0 Gecko Firefox
    - Both the rendering engine and the "Firefox" are including just in case. Note, you should use Firefox even if your browser is called something else (Seamonkey/etc.) because they are all using the same rendering engine.

    Changing the user-agent:
    Easy through about:config, just add the following fields:
    Code:
    general.useragent.enable_overrides => 1
    general.useragent.override => Mozilla/5.0 Gecko Firefox 
    
    There are also plenty of add-ons that accomplish the same.


    Chrome and other KHTML browsers (Chromium/Safari/Konqueror/etc.)

    Example of the current user-agent string: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36

    The proposal for the generic user-agent: Mozilla/5.0 AppleWebKit (KHTML, like Gecko) Chrome Safari
    - Here we include both the "Chrome" and "Safari" to improve compatibility. I'm aware that Konqueror doesn't use "AppleWebKit", but this shouldn't cause problems, especially since it's extremely unlikely that websites would match the user-agent string against "Konqueror".

    Changing the user-agent:
    Chrome doesn't support user-agent changing directly, but there are various extensions for this.
    https://chrome.google.com/webstore/detail/ultimate-user-agent-switc/ljfpjnehmoiabkefmnjegmpdddgcdnpo seems to be a good one and it also allows per-site settings. Just go to options and add a custom string with a flag and name of your choice and put: "Mozilla/5.0 AppleWebKit (KHTML, like Gecko) Chrome Safari" as the "User Agent string". Then click on the extension button, select "Active Now!!" and select your custom user-agent that you just entered.


    Opera (older versions based on Presto engine)

    Example of the current user-agent string: Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14

    The proposal for the generic user-agent: Opera/9.80 Presto
    - The rendering engine is included just in case someone wants to match against it.

    Changing the user-agent:
    Easy through about:config, just add/modify the following fields (tested on Opera 12.xx):
    Code:
    Spoof UserAgent ID => 1
    Custom User-Agent => Opera/9.80 Presto
    Internet Explorer

    Here things get complicated. In theory, IE's user-agent can be changed through registry hacks: http://msdn.microsoft.com/en-us/library/ms537503.aspx . However, feature and trident tokens can't be changed, and they will reveal the major version number of IE anyway.

    IE also leaks the exact version numbers of various Windows components such as .NET framework and Media player. While these can be removed by deleting registry keys, it might break some Windows functionality. For now I can give the following good advice: avoid IE at all costs :)
     
  3. tlu

    tlu Guest

    I'm sorry but those are bad recommendations privacy-wise. Those user agents make your browser more unique and, thus, identifiable as nobody else is using them. You can easily confirm that on, e.g., https://panopticlick.eff.org/
     
  4. Larm

    Larm Registered Member

    Joined:
    Jan 9, 2014
    Posts:
    10
    The whole point of the proposal is to make others to use it.

    Considering how much unique information default user-agents provide, privacy would be greatly improved even if just some people would adopt generic user-agents.
     
  5. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    I agree. The too-short, generic string proposed in the post above would be a longtail standout.
    What's a good, common, as-seen-in-the-wild string to use?
    Sadly, the PDF linked at the eff.org site is undated.
    http://techblog.willshouse.com/2012/01/03/most-common-user-agents/
    ^--- might choose one of these (or choose to rotate thru using several of 'em)...

    ...but I believe that doing so would be a misguided step toward achieving anonymity.
    Nowadays, the web scripts powering many sites are so "sophisticated" (cough, convoluted, fandangled)
    that css stylesheets are delivered conditionally, based on the result from sniffing the requestor's user-agent.
    With mobile, and tablets, AND various desktop resolutions... yeah, from a webdev POV, agent sniffing has become a necessity.
     
  6. tlu

    tlu Guest

    Yes, but it's unrealistic to expect that even a minority of users will implement that.

    A better strategy is to disappear into the crowd by using a wide-spread user agent as mentioned by inka.
     
  7. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    471
    Location:
    usa
    What about using Dephormation?
    "Secret Agent Continuously Randomizes your Firefox/SeaMonkey HTTP User Agent, to Suppress Device Fingerprinting, and Resist Web Tracking."

    https://www.dephormation.org.uk/?page=81
     
  8. monkeylove

    monkeylove Registered Member

    Joined:
    Dec 10, 2013
    Posts:
    38
    I'm currently trying the add-on HTTP User Agent Cleaner for Firefox.
     
  9. Larm

    Larm Registered Member

    Joined:
    Jan 9, 2014
    Posts:
    10
    I agree that it is difficult, but I believe there are plenty privacy-minded people on this forum. We need to start somewhere :)

    The problem is that there "wide-spread" user agent don't really exist. We have multiple rendering engines, multiple browsers based on the same engine (Chrome, Chromium, Safari, etc.), multiple types of operating systems, multiple OS versions and processor architectures (browser running on a 32-bit Windows 7 will have a different user-agent from the exactly same browser running on the 64-bit Windows 7).

    Faking the rendering engine (e.g. must popular browser is Chrome, but you would still want to use Firefox) would break more websites that just using a generic user-agent. Chrome and Firefox have a very rapid release schedule, which creates another problem since not everybody updates the browser immediately.

    A big advantage of this proposal is that you just set the user-agent once, and then you don't need to worry about new browser versions and changes of browser or OS popularity.
     
  10. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Well, out of the billions of Internet users, even if everyone on Wilders used a string, we'd still be unique'ish. I think a better bet, would be for us to post what string we are using, and what our Panopticlick "score" is.

    NoScript blocking all, std FF profile. I believe starting with a JonDoeNym profile would lower that a little bit, but I haven't tried that yet.
     
  11. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Just adding the UserAgent Switcher extension, I now get this:

    Using this pre-set:

     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    My Panopticlick score is around one in 2,000,000 with scripting allowed, and around 1 in 8,000 with scripting not allowed. "System Fonts" is the big difference between the two on my system - around 1 in 300,000 for that item. My standard "User Agent" item alone is around 1 in 500 - not a big deal.
     
  13. Larm

    Larm Registered Member

    Joined:
    Jan 9, 2014
    Posts:
    10
    That's why Wilders should be just a starting point and we need to propagate this idea further.

    Panopticlick is a good tool, but it is also biased, since it is more likely to be used by people who care about their privacy and security. In reality, there are much more users of IE and older Chrome/Firefox versions than Panopticlick can show.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  15. Larm

    Larm Registered Member

    Joined:
    Jan 9, 2014
    Posts:
    10
    Thanks, that's an interesting paper. Basically they are using javascript capabilities to determine the exact browser version. However, this technique can't reveal the OS, processor architecture or other details, therefore generic user-agents have still their place.

    Going forward, it would be good if major browser would just adhere to standards instead of creating their own extension and functionality, then the mentioned technique wouldn't work anymore.
     
  16. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I took an entire day to chase the "fingerprint" tail. Best I could get was 1 in 3,000...which is good enough for me. Out of billions, I think it is pretty good. User Agent Switcher, Secret Agent, NoScript, seem to be the biggest helpers. I tried adding FireGloves, and *did* get it down to 1 in 800 a few times, but the results were flaky...the next few tries gave me 1 in 2 Million, or "Unique". Consistent 1 in 3,000 is what I settled on, and I'm done :D
     
  17. tlu

    tlu Guest

    Unfortunately, that's not correct. Just for fun, I've changed my user agent to

    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

    Now, if I go to http://browserspy.dk/os.php with JS disabled it says:

    However, if JS is enabled it reports:

    It's true that this site couldn't read my CPU details, but it could detect, e.g., my browser plugins.
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Looks like a default Ubuntu install with Chrome is perfectly unique. No need to screw around with useragents :)
     
  19. tlu

    tlu Guest

    funkydude, I'm afraid that's a misinterpretation: You do NOT want to be unique! In other words: The higher that number, the worse.
     
  20. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Within our dataset of several million visitors, only one in 299 browsers have the same
    fingerprint as yours.

    Currently, we estimate that your browser has a fingerprint that conveys 8.22 bits of
    identifying information.

    Using Firefox browser with javascript disabled and no addons.

    From what I understand from the Panopticlick test you DON'T want to have results saying "UNIQUE" and
    NOT have a fingerprint that conveys a LARGE bits number of identifying info.
     
  21. Larm

    Larm Registered Member

    Joined:
    Jan 9, 2014
    Posts:
    10
    This page: http://browserspy.dk/browser.php has more information.

    Following overrides work in Firefox to remove some OS/platform leaks:
    Code:
    general.appversion.override  => 5.0
    general.oscpu.override =>  (leave this empty)
    However is there a way to override navigator.platform? navigator.platform.override doesn't work anymore.
     
  22. johndoa

    johndoa Registered Member

    Joined:
    Jan 23, 2014
    Posts:
    4
    There's no use of modifying user-agent if your plugins and extensions are exposed. Fingerprinting is about combining all details of your browser. Changin' one paricular element makes sense only if it fits with other elements in a way that represents common pattern.

    The only real masking would be if we could fake extensions IDs + user agent so it fits most common browser setups. :)
     
  23. Larm

    Larm Registered Member

    Joined:
    Jan 9, 2014
    Posts:
    10
    I agree that modifying the user-agent is not enough by itself to prevent fingerprinting. However, it leaks a lot of information and changing it is easy, therefore it's a low-hanging fruit that definitely should be used.

    Extensions like Firegloves for Firefox prevent plugin and font enumeration.
     
  24. johndoa

    johndoa Registered Member

    Joined:
    Jan 23, 2014
    Posts:
    4
    Imagine solving the Rubik Cube. One or two moves makes just another combination of colors.
     
Loading...
Thread Status:
Not open for further replies.