6

How can a "webserver" know (or a sniffer between the srv<->and the client) that what browser i'm using besides the user-agent?

Are there any "magic tricks"? javascript? java? How can I securely, completely hide that what webbrowser am I using?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
LanceBaynes
  • 6,149
  • 11
  • 60
  • 91

3 Answers3

8

What exactly do you mean by 'what browser I'm using' - like being able to find if you are using firefox or opera, or do you mean something else?

In any case three projects come to mind

  • EFF's Panopticlick (paper here): This method is not about finding out what browser are you using but more about identifying who you are among others, by correlating information about you leaking from your browser when visiting a site. Information collected by Panopticlick includes:

    • The user-agent http header
    • the http accept header
    • if you have cookies enabled or not
    • your screen resolution (determined using javascript)
    • your timezone (determined using javascript)
    • Browser plugins, plugin versions and MIME types (determined using javascript)
    • System fonts (determined using flash or java applets and javascript)
    • supercookies (javascript - but there are more here)
  • Evercookie project There are many different kinds of cookies, like flash cookies, silverlight cookies, html5 databases and DOM globalstorage. More information on the provided link.

  • BrowserRecon project: This is an older project, similar to panopticlick but older (and not very well known). This is aimed towards finding which browser a user is used, not identifying him among others. It uses large databases that contain observed values (fingerprints) of several http fields (like the user-agent field, the header-order field, the accept field, the keep-alive field and many more). By matching the values of all these different fields when a request comes to a server, the specific browser and it's version can be determined with a high degree of certainty.

On mitigation measures: The last technique can be defeated by using a proxy, which can potentially alter the values of many http fields and so alter the fingerprinting results.

NoScript is of great help for the other techniques, and disabling all unnecessary functionality or only enabling it on whitelisted sites.

john
  • 10,968
  • 1
  • 36
  • 43
5

Besides the user agent, there are other ways to identify your browser (which doesn't identify you personally, but makes it easier to track your browser from one visit to the next). Languages, screen characteristics, and even more available plugins and fonts, carry quite a lot of information, even with Javascript disabled.

You can test your browser against EFF's Panopticlick. The site has quite a lot of information on browser identification.

JavaScript is a sure way to identify your exact browser version — no two browsers have exactly the same implementation quirks and bugs.

Even if all that information from headers was stripped off and JavaScript was turned off — which would impinge a lot on functionality — there would still be (less reliable) ways to identify web clients, for example through typical timings and packet-sending habits (à la nmap). This way identifies not only the browser but also the OS, and possibly intermediate network infrastructure (in particular caches).

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
1

Hiding what web browser u are using can be really hard as there is usually many ways of discovering what browser you use besides using the user-agent.

For example you can guess what kind of browser you are using by checking in which sequence the HTTP headers values are presented in the header.

This question is very similar to some other questions here:

To try answer how you can hide anyone from knowing what browser you are using I would atleast do the following to throw them off:

  • Modify the presentation of http headers
  • Dont allow javascript
  • Dont allow any activex plugins or other plugins
  • Dont run anything customizable, like addon's or similar browser integrated software.
  • Change your user-agent manually
Chris Dale
  • 16,119
  • 10
  • 56
  • 97