
History of the browser user-agent string (2008) - tosh
https://webaim.org/blog/user-agent-string-history/
======
TekMol
It is time to get rid of this header. All browsers should stop sending it.

Even more important is to stop leaking your private IPs:
[https://browserleaks.com/webrtc](https://browserleaks.com/webrtc)

Even _more_ important: Stop using http by default when users enter a hostname
into their urlbar. https is a joke at the moment. Because when users go to
somecoolsite.com they are at first connecting via http. Now a man in the
middle could just proxy their connection. No security at all.

~~~
daxterspeed
It's likely that the Chrome team has plans to eventually assume https by
default, given that they've outlined their plans mark http as insecure on
connect[0] (rather than on input).

The move would likely have to be coordinated among the browser vendors, but it
wouldn't surprise me if Apple decides to lead the charge on this one. All
iPhones being https by default would put a massive demand on crappy systems
that assume they can mitm users.

0: [http://www.chromium.org/Home/chromium-security/marking-
http-...](http://www.chromium.org/Home/chromium-security/marking-http-as-non-
secure)

~~~
gsnedders
I think it's clear that everyone would like HTTPS-by-default, it's just a
question of how to do it in a way that doesn't cause a massively degraded
user-experience in the short term and still provides security gains (racing
the two gets around the UX problem, but provides no security benefit). We
might see something whereby we use HTTPS if the hostname has previously been
connected to over HTTPS (even without HSTS).

------
zadokshi
What would break if at this point Safri and Chrome decided to go back to a
basic user agent string and abandon all of the silliness? Do any important
sites do sniffing in any important way?

(I know I sniff for iPhone but that’s about it)

~~~
shakna
Several Google sites use user-agent sniffing.

I've seen comments from Youtube devs that say progressive enhancement is too
slow, so they use the useragent to choose what bundle to send.

~~~
danShumway
It's worth calling Google out particularly here, because not only do they do
useragent sniffing, they also launch new services that use useragent sniffing
to block any browsers that aren't on a compatibility whitelist.

I get it, sometimes sniffing is necessary for some things. But it's
embarrassing to see a company of Google's size and caliber so reliant on it,
and to see their developers so quickly accept that they're just going to
abandon what is one of the cornerstones of good web development.

------
genericacct
The way I see it the user agent string is just a way of telling bad actors
what exploits are going to work on your device -- google chrome gives away
your phone's maker and model without a thought.

------
netsharc
It never made it to the mobile age.. webdevs started serving iPhone-compatible
pages by sniffing "Mobile Safari", so now Chrome on Mobile also says it's
"Mobile Safari".

------
dang
A thread from 2016:
[https://news.ycombinator.com/item?id=11693455](https://news.ycombinator.com/item?id=11693455)

2013:
[https://news.ycombinator.com/item?id=6674812](https://news.ycombinator.com/item?id=6674812)

Discussed at the time, though not much:
[https://news.ycombinator.com/item?id=298844](https://news.ycombinator.com/item?id=298844)

------
kuharich
Prior discussion:
[https://news.ycombinator.com/item?id=298844](https://news.ycombinator.com/item?id=298844)

------
stevekemp
Cute history, though of course Microsoft didn't write Internet Explorer, they
bought it. From Spyglass, if I remember correctly?

