Tuesday, February 22, 2011

User Agent Hackery (A Public Service Announcement)

I work for a company that uses a proxy filter on all web traffic within and out of the corporation. One of the tasks the filter has been assigned to do is to check the version of web browsers. If that given browser is not a sanctioned version, then it's blocked from reaching the Internets and the user is shown a warning page. This is because someone is under the belief that regardless of hosting OS, any browsers older than the current sanctioned releases are a security risk. This, of course, has all sorts of interesting consequences:
  • You can't use the old-and-busted browser to fetch one that's more up-to-date, or use the old-and-busted one to fetch a new-and-shiny alternative within the corporate network.
  • Not only does it block older versions, but newer versions, especially betas. For example, Fedora 14 updates delivered Google Chrome 10.0.648.82 Beta yesterday, and sure enough, our corporate proxy blocked it. I've also been running and testing Firefox 4 on my notebook in support of an ongoing project. Same issue.
The problem with a "security solution" such as this is how simply it is implemented, and thus how it can be so easily circumvented. In this particular case, circumvention is easily accomplished by changing the user agent string the browser spits out, because that's what the proxy is checking.

For the browsers in question I provide the following small table with each browser's method for changing their respective user agent string. These methods have worked since the early days of both browsers, and I sincerely hope their software engineering teams never remove this capability.

Chrome10.0.648.82 BetaCommand line: --user-agent="String"
Quotes around String are required. Add as last argument.
Firefox4 Beta 11about:config browser page - general.useragent.override String
You'll need to add this as a new preference.

For String I use the following from Chrome 9 running on my Windows notebook, a version that is officially sanctioned at this point in time:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
If you ever need a user agent string, there is the site User Agent String.com. It will tell you what your browser's user agent string is, and it contains an extensive catalog of strings for your spoofing pleasure.

The only issue with this? Some outside sites use the user agent to set up Web 2.0 content specific to a given browser and its version. This can cause some sites to malfunction in the browser. For example, using the Chrome user agent string with Firefox 4 on Google Mail results in all sorts of hilarity. But since I can reach Google Mail with a sanctioned version of Chrome, it's not that painful for me.

Remember children, Your Mileage May Vary.


Normally I'm not one to advocate security violations. Really, I'm not. But I'm also not stupid, or at least not deliberately so. With all the tasks I have on my plate, the last thing I need is for an IT staff that exhibits a poor grasp of issues and an unwillingness to spend the extra effort necessary for all of us to succeed in our jobs. To put it bluntly, if you become an unnecessary impediment I can and will go around you.

No comments:

Post a Comment

All comments are checked. Comment SPAM will be blocked and deleted.

Note: Only a member of this blog may post a comment.