UA string.

[Dawit A.]

On Sunday 23 February 2003 05:08, Vadim Plessky wrote:
> Sorry for late comments, but it seems there are several important points
> not listed/not discussed so far.
> IIRC, we were discussing Konqueror/KHTML userAgent string couple of years
> ago (KDE 2.0/2.1 release time), and Harri Porten raised the question of
> _security_, as part of UA identification.
> Within last 2 years, this question became much more important than ever.

This is a privacy issue, not really a security issue unless there is a known 
exploit specific to our platform.

> For example, shoukd Konqueror running on Linux identify itself as
>   Mozilla/5.0 (compatible; Konqueror/3.1; KHTML; Linux)

This is the default string.

> At a moment, Konqueror doesn't list OS/Platform by default, while you
> canturn it on is UA Settings dialog.

Not true.  It lists the OS by default.  It does not however list the OS 
version number as there is no need for that IMHO.

> 2) should UA list CPU type and type of Windowing Environment?
>
> I am speaking of "PPC" part (and "Mac OS X") in this UA
>   Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us)
> or "X11" and "i686" in this UA string
>   Mozilla/5.0 (compatible; Konqueror/3.1; Linux; X11; i686)
>
> As "Windows" string is quite common in Windows-based user agents, I think
> that listing non-Windows platform in UA string is a Good Idea.
> I hardly believe it disclosures any kind of existing or potential
> vulnerabilities, while it definitly increaes count of non-Windows clients.

It is not a security issue, but a privacy one and since you have the option to 
turn it on, there is no need to unnecessarily specify Windowing Environment 
and processor power.

> |  > Mozilla/5.0 (compatible; Konqueror/3.1; Linux) (KHTML, like Gecko)
> |
> |  Seems as good as the above, not a lot better though. I guess they can
> |  look for "(KHTML," in this one, which might be better.
>
>
> I am strongly againts using worj "Gecko" in UA string.
> Konq/KHTML and Safari are not based on Gecko engine, while you may wnat to
> fake as Gecko when:
> a) you are not using Gecko
> b) most of web designers arenot aware about Gecko existance, and what the
> Gecko is, they concentrate design around MS IE

Read the reasoning why the apple engineers are doing it in their browers.  
Eventhough I have my own doubts about web-sites looking for the word "Gecko", 
at least the major sites I checked, it makes sense to say like Gecko so that 
web-sites geared toward standards compliant and perhaps look for the word 
"Gecko" will work with khtml. It is no different than what "Mozilla/5.0 
(compatible" is used to indicate. And this does not break compatibility with 
existing sites since the string is an addition not a replacement ; so I do 
not see the problem with this at all.

Regards,
Dawit A.