User Agent Hackery (A Public Service Announcement)
I work for a company that uses a proxy filter on all web traffic within and out of the corporation. One of the tasks the filter has been assigned to do is to check the version of web browsers. If that given browser is not a sanctioned version, then it's blocked from reaching the Internets and the user is shown a warning page. This is because someone is under the belief that regardless of hosting OS, any browsers older than the current sanctioned releases are a security risk. This, of course, has all sorts of interesting consequences:
For the browsers in question I provide the following small table with each browser's method for changing their respective user agent string. These methods have worked since the early days of both browsers, and I sincerely hope their software engineering teams never remove this capability.
For String I use the following from Chrome 9 running on my Windows notebook, a version that is officially sanctioned at this point in time:
The only issue with this? Some outside sites use the user agent to set up Web 2.0 content specific to a given browser and its version. This can cause some sites to malfunction in the browser. For example, using the Chrome user agent string with Firefox 4 on Google Mail results in all sorts of hilarity. But since I can reach Google Mail with a sanctioned version of Chrome, it's not that painful for me.
Remember children, Your Mileage May Vary.
Rationale
Normally I'm not one to advocate security violations. Really, I'm not. But I'm also not stupid, or at least not deliberately so. With all the tasks I have on my plate, the last thing I need is for an IT staff that exhibits a poor grasp of issues and an unwillingness to spend the extra effort necessary for all of us to succeed in our jobs. To put it bluntly, if you become an unnecessary impediment I can and will go around you.
- You can't use the old-and-busted browser to fetch one that's more up-to-date, or use the old-and-busted one to fetch a new-and-shiny alternative within the corporate network.
- Not only does it block older versions, but newer versions, especially betas. For example, Fedora 14 updates delivered Google Chrome 10.0.648.82 Beta yesterday, and sure enough, our corporate proxy blocked it. I've also been running and testing Firefox 4 on my notebook in support of an ongoing project. Same issue.
For the browsers in question I provide the following small table with each browser's method for changing their respective user agent string. These methods have worked since the early days of both browsers, and I sincerely hope their software engineering teams never remove this capability.
Browser | Version | Method |
Chrome | 10.0.648.82 Beta | Command line: --user-agent="String" Quotes around String are required. Add as last argument. |
Firefox | 4 Beta 11 | about:config browser page - general.useragent.override String You'll need to add this as a new preference. |
For String I use the following from Chrome 9 running on my Windows notebook, a version that is officially sanctioned at this point in time:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13If you ever need a user agent string, there is the site User Agent String.com. It will tell you what your browser's user agent string is, and it contains an extensive catalog of strings for your spoofing pleasure.
The only issue with this? Some outside sites use the user agent to set up Web 2.0 content specific to a given browser and its version. This can cause some sites to malfunction in the browser. For example, using the Chrome user agent string with Firefox 4 on Google Mail results in all sorts of hilarity. But since I can reach Google Mail with a sanctioned version of Chrome, it's not that painful for me.
Remember children, Your Mileage May Vary.
Rationale
Normally I'm not one to advocate security violations. Really, I'm not. But I'm also not stupid, or at least not deliberately so. With all the tasks I have on my plate, the last thing I need is for an IT staff that exhibits a poor grasp of issues and an unwillingness to spend the extra effort necessary for all of us to succeed in our jobs. To put it bluntly, if you become an unnecessary impediment I can and will go around you.
Comments
Post a Comment
All comments are checked. Comment SPAM will be blocked and deleted.