Big vulenability in spoof user agent

[moulierac]

Hi
Thank's for you're great work and hard work.
But the user spoof not really "spoof".
Missing spoof mime javascipt.

Like : https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg?hl=en

With this vulenerability spoof user agent is ineffective in fact.

Thanks best regards

[sebie]

Sorry, but do you think you could clear up my confusion. Are you reporting a vulnerability in uMatrix's Agent Spoofer or in User Agent Switcher?

If it is uMatrix's Agent Spoofer, may you elaborate on what the problem is? Does it not work?

If you are encountering problems with User Agent Switcher, it would be best to report it to them, not to uMatrix (here).

[gorhill]

https://github.com/gorhill/uMatrix/blob/master/CONTRIBUTING.md:

Open source quality software comes from contributors carefully crafting code: conversely, issues must also be carefully crafted.

Please, provide all details rather than send me on a quest to find out what exactly you are talking about.

[moulierac]

I'm so sorry.

It's with uMartix

when i test here

http://whoer.net/extended

Al is good

I have Firefox browser

But if enable javascript i have always Firefox
But vendor Google inc

With this we see the user , spoof user agent

With User Agent Switcher on the same site
I have Safari browser
And vendor Apple

Thanks

[SARG04]

It seems there is a problem.
(tested with uMatrix 0.9.1.3 in Firefox 38 and Chrome 43 )

for me this code returns the spoof user agent
http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_nav_useragent

and this returns the real user agent
http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_nav_all

So if navigator.userAgent is used inside a function it works, but if not it don't.

[d-kr]

duplicate of #118

[moulierac]

Thanks SARG04 for me same problem.

Thanks to d-kr like that i know is no solution.
gorhill won't work on that.
I respect it's a choice.
But it's too bad for user no spoof user agent works in fact.
Use one and user it's suspect.
To easy for dedect.

Best regarsd for all.
And again thank you gorhill you're extension is wondeful.

[gorhill]

Let me address "Big vulenability": it's an hyperbole.

I did fix locally the vendor thing, but any user thinking it addresses the whole fingerprinting problem would fool himself pretty bad, because there is so much more information in there -- outside UA spoofing scope -- that can be used as fingerprinting.

Let's stick to common sense. If fingerprinting is a major concern, blanking a few select fields in navigator object is not what works.

Fingerprinting does become a concern for when you let 3rd-party javascript run in your browser when loading web pages. The whole point of fingerprinting is 3rd-party vendors building database using your visits from many different web sites.

So if fingerprinting is a major concern, the most important steps are:

• Do not allow 3rd-party javascript to run at all (out of the box settings in uMatrix).
• Your IP address: use a proxy or VPN, or block all 3rd-party resources.
• Clear browser cache on a regular basis (so that passive 3rd-party resources with fingerprinting payload are flushed).
• Block XHR, to prevent whatever gathered information from being sent back to remote server(s).

All these steps dwarf the impact of blanking the vendor and related fields in the navigator object.

So to qualify the non-blanking of the vendor field as "big vulnerability" is hyperbole. There are many more fields in the navigator object which can be mined, and many more other stuff outside the navigator object which can be mined.

The best recourse is to prevent javascript from running (this would take care of the case here), and if you must execute javascript, prevent gathered information from being sent back by blocking XHR.

[SARG04]

My point was a little bit different. It seams to depend on the context in which navigator.userAgent is used, if it is spoofed or not.

<!DOCTYPE html><html><body>
 <button onclick="test()">Test</button>
 <div id="text"></div>
 <script>
  test()
  function test() {
    var x = navigator.userAgent;
    document.getElementById("text").innerHTML = x;
   }
 </script></body></html>

When you open the page it will show the real user agent. And when you click on Test it will show the spoofed one.

And yes via feature detection it is mostly possible to detect the browser version (at least if JavaScript is enabled)
https://html5test.com/compare/browser/mybrowser/chrome-43/chrome-42/firefox-38/firefox-37.html

[gorhill]

When you open the page it will show the real user agent. And when you click on Test it will show the spoofed one

I did not investigate but this must be due to Chromium limitation: there is no guarantee uBlock can inject its spoofing code before any inline script on the page has executed.

[moulierac]

Gentleman.
You are too technic for me.

gorhiil i have don't want offend you.
English is bad for me ; sorry.
I try what you said ; and don't work for me on whoer.extended.
But may be i do mystake in rules.

SARG04 sorry i understand nothing.
But i see result

In fact no spoof user works perfectly.
Or it's too difficult to do i don't know.

Best regards.

[gorhill]

I try what you said ; and don't work for me on whoer.extended.

What did you try?

[SARG04]

but this must be due to Chromium limitation

Just want to let you know, it happens in Firefox 38 as well.

[gorhill]

It happens in Firefox 38 as well

Ok, thinking of it, the spoofing script tag is not injected immediately when the content script is executed, the content script first asks asynchronously the main process whether spoofing is enabled or not, then upon receiving the answer, it will inject the spoofing script tag if enabled.

[moulierac]

gorhill
try
do not allow 3rd-party javascript to run at all
block all 3rd-party resources
blocking XHR
By rules in uMartrix.

[gorhill]

@moulierac Yes of course...

uMatrix is for advanced users, I can't help non-advanced users understand technical stuff, I would spend all my free time writing walls of text -- which I tried above for your benefits -- with no better understanding as a result. Non-advanced users who wants to understand technical stuff and how uMatrix helps them will have to seek knowledge themselves, I just do not have the time on hands.

The point I was trying to make here is that "Big vulenability" was hyperbole.

[moulierac]

gorhill.
I understand.
I'm advanced user.
But no developer is advencer user is this for you.
Of course i don't work for NASA ;-)

But thank you.
Apologise for wast you're time.

Best regards.

[gorhill]

@moulierac

I'm advanced user.

Again:

I try what you said ; and don't work for me on whoer.extended.
do not allow 3rd-party javascript to run at all
block all 3rd-party resources

Is whoer.net 3rd-party to whoer.net?

[moulierac]

gorhill.

i know now no.
I' m little stupid i don't have think to verify if have in whoer.
But how know if the rules works.

Apologise again.
Thanks for you're patience.

[ArchangeGabriel]

Maybe this should be closed if the UA spoofing feature is removed. ;)

[Thorin-Oakenpants]

+1 for removing the UA spoofing

For starters, you block 95% of it (FP'ing) by blocking the offending JS (usually 3rd party - as pointed out by gorhill). UA is a *really small part of overall FP'ing, and 6+ years after Panopticlick brought it to people's attention, and dozens/hundreds of tickets on bugzilla, and even AFTER Tor Uplift's patches, it is STILL leaking like a sieve. date/time leaks locale and language, UA leaks over HTTP CONNECT method ... I could list more.

FYI, they are probably going to not lie about the OS (or rather limit it to four - Windows, Mac, Android, Linux) due to so much general breakage, and they already don't spoof as non-FF. And yet it is trivial to do feature detection (for browser make and even model), or even use a CSS line height query to get your OS, or check scrollbar thickness for the same info.

Remove the UA spoof feature - it is giving end-users a false sense of security IMO

/end of 2 cents

[h1z1]

Meh, I'll bite. Removing the spoof is insane, it addresses an entirely different thing.

Not every site uses international espionage grade analytics to track users. Much like a lot of threads lately, the position you're taking is akin to forgoing SSL entirely because it's broken by design.

No one is denying uM or uB are advanced, what's somewhat infuriating is the number of "bugs" in browsers that are privacy / security nightmares but buried under pointless bug report threads only to be closed as invalid. They may be upstream but they certainly aren't invalid.

People want to protest like Net Neutrality is the end of the world yet fail to acknowledge (aka, name and shame), who really supports making the Internet a miserable place.

tl;DR - Rather then close bugs as invalid, why not make a list of sites known not to work? There's no harm in shaming Facebook, Google, Microsoft or Mozilla for allowing it.

[Thorin-Oakenpants]

Not every site uses international espionage grade analytics to track users

I wouldn't call a few lines of code (eg for CSS line height) international espionage grade analytics. The number of sites grabbing metrics is huge, and growing. Thankfully its almost always 3rd party. This is nothing to do with state actors - for that go and use Tor over VPN on Tails or whatever.

Much like a lot of threads lately, the position you're taking is akin to forgoing SSL entirely because it's broken by design.

No-one said to stop trying to defeat FP'ing where it is unavoidable. There are dedicated extensions for UA (arguably most are not very good), and there is privacy.resistFingerprinting.

The point was that I think UA spoofing in uM is very bare bones, incomplete, almost impossible to get right, a waste of gorhill's time, and gives users a false sense of "privacy"

I have no idea what bugs being invalidated, net neutrality and all those corporation names have to do with this.

[h1z1]

I wouldn't call a few lines of code (eg for CSS line height) international espionage grade analytics. The number of sites grabbing metrics is huge, and growing.

Don't follow that at all. I was referring to the scope in which the data is gathered not difficulty.

Thankfully its almost always 3rd party. This is nothing to do with state actors - for that go and use Tor over VPN on Tails or whatever.

Which is one of the ways interception is done over Tor - with Tech companies quite involved in facilitating it.

No-one said to stop trying to defeat FP'ing where it is unavoidable.
There are dedicated extensions for UA (arguably most are not very
good), and there is privacy.resistFingerprinting.

gorhill above did. Why would I want to install more extensions?

The point was that I think UA spoofing in uM is very bare bones, incomplete, almost impossible to get right, a waste of gorhill's time, and gives users a false sense of "privacy"

The same could be and frequently is said about much of what uM and uBO do which is one of my points.

I have no idea what bugs being invalidated, net neutrality and all those corporation names have to do with this.

Bit of a shame, thought it was fairly clear. They are deflecting from the real sources of those problems. Quite a few of the companies are embattled in both.

I responded to this because it's one of many threads attempting to trivialize real privacy issues. I'm well aware of how bad browsers are, I certainly don't sit behind intercepting proxies because I enjoy playing SSL accept bingo. I do it because I don't trust the damn browser or OS.