Re: Remove browser and OS architecture from Firefox's User-Agent string?

Tue, 14 May 2019 09:27:17 -0700 

On Monday 2019-05-13 16:14 -0700, Chris Peterson wrote:
> On 5/11/2019 4:11 AM, j.j. wrote:
> > > < "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101
> > > Firefox/66.0"
> > >   > "Mozilla/5.0 (Windows NT 10.0; rv:66.0) Gecko/20100101 Firefox/66.0"
> > Note that  "navigator.oscpu"  returns  "Windows NT 6.1; Win64; x64"  or 
> > similar. This needs to change then.
> > 
> 
> Yes. navigator.oscpu and the UA string share some common code, so they would
> both be fixed to match 32-bit Windows.

I think it might be worth considering letting them diverge.

I'm skeptical of the idea that we can remove the ability to detect
things like 32-bit versus 64-bit from the overall fingerprinting
surface.  It seems like these should be detectable through things
like performance characteristics, if not through behavior
differences (like a Math one you mentioned earlier in the thread).
Likewise for some of the other differences here -- although I'd be
interested to see an argument that we actually can prevent them from
being detected.

However, there's another distinction worth considering, which is
passive fingerprinting versus active fingerprinting.  The UA string
allows passive fingerprinting -- fingerprinting that isn't possible
to detect by looking at the HTML, CSS, and JS that was sent over the
wire.  The attack surface for passive fingerprinting is small enough
that it seems like something that we can reasonably work to reduce.
Given the set of APIs already on the web, it's not clear whether we
can prevent users from being identified through active
fingerprinting without breaking significant web functionality.

So I think there's may be value in removing these distinctions from
the User-Agent header we send over HTTP even if they're still
accessible from Javascript (and useful there for sites offering
downloads).

-David

-- 
𝄞   L. David Baron                         http://dbaron.org/   𝄂
𝄢   Mozilla                          https://www.mozilla.org/   𝄂
             Before I built a wall I'd ask to know
             What I was walling in or walling out,
             And to whom I was like to give offense.
               - Robert Frost, Mending Wall (1914)

Attachment: signature.asc
Description: PGP signature

_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to