Skip to main content

User Agent Hackery (A Public Service Announcement)

I work for a company that uses a proxy filter on all web traffic within and out of the corporation. One of the tasks the filter has been assigned to do is to check the version of web browsers. If that given browser is not a sanctioned version, then it's blocked from reaching the Internets and the user is shown a warning page. This is because someone is under the belief that regardless of hosting OS, any browsers older than the current sanctioned releases are a security risk. This, of course, has all sorts of interesting consequences:
  • You can't use the old-and-busted browser to fetch one that's more up-to-date, or use the old-and-busted one to fetch a new-and-shiny alternative within the corporate network.
  • Not only does it block older versions, but newer versions, especially betas. For example, Fedora 14 updates delivered Google Chrome 10.0.648.82 Beta yesterday, and sure enough, our corporate proxy blocked it. I've also been running and testing Firefox 4 on my notebook in support of an ongoing project. Same issue.
The problem with a "security solution" such as this is how simply it is implemented, and thus how it can be so easily circumvented. In this particular case, circumvention is easily accomplished by changing the user agent string the browser spits out, because that's what the proxy is checking.

For the browsers in question I provide the following small table with each browser's method for changing their respective user agent string. These methods have worked since the early days of both browsers, and I sincerely hope their software engineering teams never remove this capability.

Chrome10.0.648.82 BetaCommand line: --user-agent="String"
Quotes around String are required. Add as last argument.
Firefox4 Beta 11about:config browser page - general.useragent.override String
You'll need to add this as a new preference.

For String I use the following from Chrome 9 running on my Windows notebook, a version that is officially sanctioned at this point in time:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13
If you ever need a user agent string, there is the site User Agent It will tell you what your browser's user agent string is, and it contains an extensive catalog of strings for your spoofing pleasure.

The only issue with this? Some outside sites use the user agent to set up Web 2.0 content specific to a given browser and its version. This can cause some sites to malfunction in the browser. For example, using the Chrome user agent string with Firefox 4 on Google Mail results in all sorts of hilarity. But since I can reach Google Mail with a sanctioned version of Chrome, it's not that painful for me.

Remember children, Your Mileage May Vary.


Normally I'm not one to advocate security violations. Really, I'm not. But I'm also not stupid, or at least not deliberately so. With all the tasks I have on my plate, the last thing I need is for an IT staff that exhibits a poor grasp of issues and an unwillingness to spend the extra effort necessary for all of us to succeed in our jobs. To put it bluntly, if you become an unnecessary impediment I can and will go around you.


Popular posts from this blog

A Decade Long Religious Con Job

I rarely write inflammatory (what some might call trolling) titles to a post, but this building you see before you deserves it. I've been seeing this building next to I-4 just east of Altamonte/436 and Crane's Roost for nearly 12 years, and never knew who owned it. Today on a trip up to Lake Mary with my wife I saw it yet again. That's when I told her I wanted to stop by on the way back and poke around the property, and photograph any parts of it if I could.

What I discovered was this still unfinished eighteen story (I counted) white elephant, overgrown with weeds and yet still under slow-motion construction. It looks impressive with its exterior glass curtain walls, but that impression is quickly lost when you see the unfinished lower stories and look inside to the unfinished interior spaces.

A quick check via Google leads to an article written in 2010 by the Orlando Sentinel about the Majesty Tower. Based on what I read in the article it's owned by SuperChannel 55 WA…

Be Careful of Capital One Mailings

Capitol One ("What's in your wallet?") sent me a bit of deceptive snail mail today. I felt sure it was a credit card offer, and sure enough, it was. I open all credit card offers and shred them before putting them in the trash. Normally I just scan the front to make sure I don't miss anything; the Capital One offer made me stop for a moment and strike a bit of fear into my heart.

The letter's opening sentence read:
Our records as of December 30, 2009 indicate your Capital One Platinum MasterCard offer is currently valid and active.Not paying close attention during the first reading, I quickly developed this irrational worry that I was actually on the hook for something important, but I wasn't quite sure what. The letter listed "three ways to reply" at the bottom; via phone, the internet, and regular snail mail. I elected to call.

Once I reached the automated phone response system, the first entry offered was '1', to "activate my Capital …

cat-in-a-box channels greta garbo

So I'm sitting at my computer, when I start to notice a racket in back. I ignore it for a while until I hear a load "thump!", as if something had been dropped on the floor, followed by a lot of loud rattling. I turn around and see Lucy in the box just having a grand old time, rolling around and rattling that box a good one. I grab the GX1 and snap a few shots before she notices me and the camera, then leaps out and back into her chair (which used to be my chair before she decided it was her chair).

Just like caring for Katie my black Lab taught me about dogs, caring for Lucy is teaching me about cats. She finds me fascinating, as I do her. And she expresses great affection and love toward me without coaxing. I try to return the affection and love, but she is a cat, and she takes a bat at me on occasion, although I think that's just her being playful. She always has her claws in when she does that.

She sits next to me during the evening in her chair while I sit in mi…