Programs that respect your privacy

User Agent Problems

User agents are strings that the browser sends in the header of every HTTP request that identifies itself, like Mozilla/5.0 (Linux; Android 13; Pixel 5 Build/TP1A.221105.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/108.0.5359.128 Mobile Safari/537.36. They tend to be quite long because they contain a brief history of the internet, but serve no real purpose (some people will argue this point, but I think I can back up that assertion).

Some websites don’t work well if they don’t recognize the user agent. Much has been written about how browser detection is a flawed system, but some websites still do it. For Privacy Browser, this means that if the default user agent of PrivacyBrowser/1.0 is used, some aspects of certain websites won’t work because the web server doesn’t have PrivacyBrowser/1.0 on the list of user agents that it knows can run a specific feature, so the webserver doesn’t even try to do it, even though Privacy Browser is perfectly capable of handling the feature.

So, for example, doesn’t allow the user to log on if the user agent is PrivacyBrowser/1.0http://hss3uro2hsxfogfq.onion/ loads an entirely blank screen if it doesn’t recognize the user agent. Google doesn’t redirect from HTTP to HTTPS if it doesn’t recognize the user agent, and the Google Play Console doesn’t layout correctly.

Setting a user agent in domain settings that the website recognizes, like WebView Default, often resolves the issue. Note that spoofing the user agent does have possible negative fingerprinting implications, because if a browser’s presented behaviors differ from those expected for a particular user agent, it makes it fairly unique for those who are closely tracking such things.

Last updated

6 responses to “User Agent Problems”

  1. This is so stupid. I had issues with Nextcloud on the computer before. It didn’t recognize my useragent so it decided to never show any images.

    And once some online store was just blank for me, it didn’t work at all. It turned out to be the useragent as well. And I don’t get it, nobody can’t be that stupid?

  2. I haven’t tried it but I’d assume different behavior for User Agent strings like major browsers and even bots are using them, i.e. including all potential trigger words. E.g. here a recent one from bingbot:

    Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; + Chrome/103.0.5060.134 Safari/537.36

    I’ve never myself felt comfortable using such identifiers but I might try something like `Mozilla/5.0 PrivacyBrowser/1.0 compatible to Chrome/…`

  3. Thanks for the link to the history which I didn’t know. Great article!

    About fingerprinting, I am afraid you are misled: Any identifier can be of arbitrary length without providing more information. If Privacy Browser was using `Mozilla/5.0 PrivacyBrowser/1.0` instead of `PrivacyBrowser/1.0` it would not change fingerprinting probability (if like before the same string was used by all users and all instances, of course).

    • You are correct that the length of the identifier does not provide any additional fingerprinting information. However, the uniqueness of the fingerprint does. If Privacy Browser becomes popular and millions of people visiting a website are using it, then they will have millions of instances of `PrivacyBrowser/1.0` in their web logs. But, if you decide you use `Mozilla/5.0 PrivacyBrowser/1.0`, you will likely be the only instance of that User Agent in their logs, which will make you unique, which will make you easy to fingerprint.