-
Notifications
You must be signed in to change notification settings - Fork 469
Big vulenability in spoof user agent #271
Comments
Sorry, but do you think you could clear up my confusion. Are you reporting a vulnerability in uMatrix's Agent Spoofer or in User Agent Switcher? If it is uMatrix's Agent Spoofer, may you elaborate on what the problem is? Does it not work? If you are encountering problems with User Agent Switcher, it would be best to report it to them, not to uMatrix (here). |
https://github.com/gorhill/uMatrix/blob/master/CONTRIBUTING.md:
Please, provide all details rather than send me on a quest to find out what exactly you are talking about. |
I'm so sorry. It's with uMartix when i test here Al is good I have Firefox browser But if enable javascript i have always Firefox With this we see the user , spoof user agent With User Agent Switcher on the same site Thanks |
It seems there is a problem. for me this code returns the spoof user agent and this returns the real user agent So if navigator.userAgent is used inside a function it works, but if not it don't. |
duplicate of #118 |
Thanks SARG04 for me same problem. Thanks to d-kr like that i know is no solution. Best regarsd for all. |
Let me address "Big vulenability": it's an hyperbole. I did fix locally the vendor thing, but any user thinking it addresses the whole fingerprinting problem would fool himself pretty bad, because there is so much more information in there -- outside UA spoofing scope -- that can be used as fingerprinting. Let's stick to common sense. If fingerprinting is a major concern, blanking a few select fields in Fingerprinting does become a concern for when you let 3rd-party javascript run in your browser when loading web pages. The whole point of fingerprinting is 3rd-party vendors building database using your visits from many different web sites. So if fingerprinting is a major concern, the most important steps are:
All these steps dwarf the impact of blanking the So to qualify the non-blanking of the The best recourse is to prevent javascript from running (this would take care of the case here), and if you must execute javascript, prevent gathered information from being sent back by blocking XHR. |
My point was a little bit different. It seams to depend on the context in which navigator.userAgent is used, if it is spoofed or not.
When you open the page it will show the real user agent. And when you click on Test it will show the spoofed one. And yes via feature detection it is mostly possible to detect the browser version (at least if JavaScript is enabled) |
I did not investigate but this must be due to Chromium limitation: there is no guarantee uBlock can inject its spoofing code before any inline script on the page has executed. |
Gentleman. gorhiil i have don't want offend you. SARG04 sorry i understand nothing. In fact no spoof user works perfectly. Best regards. |
What did you try? |
Just want to let you know, it happens in Firefox 38 as well. |
Ok, thinking of it, the spoofing script tag is not injected immediately when the content script is executed, the content script first asks asynchronously the main process whether spoofing is enabled or not, then upon receiving the answer, it will inject the spoofing script tag if enabled. |
gorhill |
@moulierac Yes of course... uMatrix is for advanced users, I can't help non-advanced users understand technical stuff, I would spend all my free time writing walls of text -- which I tried above for your benefits -- with no better understanding as a result. Non-advanced users who wants to understand technical stuff and how uMatrix helps them will have to seek knowledge themselves, I just do not have the time on hands. The point I was trying to make here is that "Big vulenability" was hyperbole. |
gorhill. But thank you. Best regards. |
Again:
Is |
gorhill. i know now no. Apologise again. |
Maybe this should be closed if the UA spoofing feature is removed. ;) |
+1 for removing the UA spoofing For starters, you block 95% of it (FP'ing) by blocking the offending JS (usually 3rd party - as pointed out by gorhill). UA is a *really small part of overall FP'ing, and 6+ years after Panopticlick brought it to people's attention, and dozens/hundreds of tickets on bugzilla, and even AFTER Tor Uplift's patches, it is STILL leaking like a sieve. date/time leaks locale and language, UA leaks over HTTP CONNECT method ... I could list more. FYI, they are probably going to not lie about the OS (or rather limit it to four - Windows, Mac, Android, Linux) due to so much general breakage, and they already don't spoof as non-FF. And yet it is trivial to do feature detection (for browser make and even model), or even use a CSS line height query to get your OS, or check scrollbar thickness for the same info. Remove the UA spoof feature - it is giving end-users a false sense of security IMO /end of 2 cents |
Meh, I'll bite. Removing the spoof is insane, it addresses an entirely different thing. Not every site uses international espionage grade analytics to track users. Much like a lot of threads lately, the position you're taking is akin to forgoing SSL entirely because it's broken by design. No one is denying uM or uB are advanced, what's somewhat infuriating is the number of "bugs" in browsers that are privacy / security nightmares but buried under pointless bug report threads only to be closed as invalid. They may be upstream but they certainly aren't invalid. People want to protest like Net Neutrality is the end of the world yet fail to acknowledge (aka, name and shame), who really supports making the Internet a miserable place. tl;DR - Rather then close bugs as invalid, why not make a list of sites known not to work? There's no harm in shaming Facebook, Google, Microsoft or Mozilla for allowing it. |
I wouldn't call a few lines of code (eg for CSS line height) international espionage grade analytics. The number of sites grabbing metrics is huge, and growing. Thankfully its almost always 3rd party. This is nothing to do with state actors - for that go and use Tor over VPN on Tails or whatever.
No-one said to stop trying to defeat FP'ing where it is unavoidable. There are dedicated extensions for UA (arguably most are not very good), and there is The point was that I think UA spoofing in uM is very bare bones, incomplete, almost impossible to get right, a waste of gorhill's time, and gives users a false sense of "privacy" I have no idea what bugs being invalidated, net neutrality and all those corporation names have to do with this. |
Don't follow that at all. I was referring to the scope in which the data is gathered not difficulty.
Which is one of the ways interception is done over Tor - with Tech companies quite involved in facilitating it.
gorhill above did. Why would I want to install more extensions?
The same could be and frequently is said about much of what uM and uBO do which is one of my points.
Bit of a shame, thought it was fairly clear. They are deflecting from the real sources of those problems. Quite a few of the companies are embattled in both. I responded to this because it's one of many threads attempting to trivialize real privacy issues. I'm well aware of how bad browsers are, I certainly don't sit behind intercepting proxies because I enjoy playing SSL accept bingo. I do it because I don't trust the damn browser or OS. |
The end result of the flawed UA spoofer was to accomplish the OPPOSITE of the intended goal. UA spoofing for privacy purpose turns out to be a whole complicated task on its own, and is best undertaken as a separate dedicated extension -- assuming it is possible at all. In any case, this had no place in a "Privacy" section in uMatrix, this was a bad idea to create this feature in the first place. It's never too late to correct a bad idea, and this is the purpose of this commit.
Hi
Thank's for you're great work and hard work.
But the user spoof not really "spoof".
Missing spoof mime javascipt.
Like : https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg?hl=en
With this vulenerability spoof user agent is ineffective in fact.
Thanks best regards
The text was updated successfully, but these errors were encountered: