Hacker News new | past | comments | ask | show | jobs | submit login

It appears that you may have made some modifications to your user agent string. If you revert your user agent to the one provided by default by your browser vendor everything will be fine.

Why is it that something as malleable as a user-agent string trips these kinds of sensors?

If I were to write a bot, copying current browsers' user-agents is literally the first thing I'd do

It really hits home the point of how shitty the web has become. Ad companies and malware distributors come up with bad and worse ways to interfere with my browsing, and the “good guys” need to match with increasingly invasive and fragile anti measures.

Sort of like having to take of your shoes when you board a plane. If that’s what it takes, isn’t it just better to stay home?

> Sort of like having to take of your shoes when you board a plane. If that’s what it takes, isn’t it just better to stay home?

Removal of shoes, 'naked' full body scanners, these are all terrible, and I tell myself every time it isn't worth the hassle.

The reality is that as much as I hate it, I'm still flying every other week.

I'm also on the Internet daily. I don't see that changing.

Honestly what is the point of user-agent at all if it needs to be set to some changing, magical incantation in order for a browser (or any other agent) to be functional?

I hate the direction the internet and tech is going, and I hate even more that I'm seemingly powerless to do anything about it

for me it did change. I stopped flying and I stopped visiting websites which won't accept my tracking blockers.

You need it for work. Meanwhile, TSA has caused more overall economic damage than the 9/11 plane crashes.

Welcome to this brave new world where technology is accessible to all.

I hate it.

Indeed - I travel by train as much as I can.

The web sucks. Society/civilization is shaking in its foundations.

I just wish the passive non-violent approach would work. It worked for Gandhi, but in this day?

I feel we're all getting overrun by technology. Unfortunately, as it could have been the opposite.

You'd be surprised. The /good/ bots do this, but there's a lot of white noise garbage that simple techniques do still filter out.

Speaking from experience: there are a ton of bots that don't set UA and use whatever their request library sets.

Pure conjecture: The "security solution" probably wanted to ban the user for a reason unrelated to the UA string, and was only able to (i.e., the user was only identifiable uniquely enough) because of the odd UA string. Switching to the standard UA string places the user into a state sufficiently non-unique as to be unidentifiable and thus unblockable.

If omit the user-agent string or, even better, the user-agent header itself, everything will be fine, too.

Tested with Cloudflare and many, many other servers over many years.

On the whole, taking the entire web into account, it is rare for a user-agent string to be required.

However, it has become common for servers to make many assumptions based on user-agent strings.

I would guess there are many tech workers whose entire job rests on the assumption that user-agent strings are always present, rarely manipulated^1 and accurately represent the user's hardware and software.

1. For example, changed using "Developer Tools" in the major browsers. Google's browser has some user-agent presets for "testing" in DevTools (Ctrl-Shift I, Ctrl-Shift P, Drawer Show Network Conditions). Those should be safe to use for logins to Google websites. Try them out, e.g., when logging into Gmail and watch how the user can request vastly different web page styles based only on user-agent string.

There are a number of sites that simply crash with a web framework backtrace or behave strangely when the User-Agent header is not sent.

That sounds like something worth reporting if possible, assuming it's also written to a log it might be a denial of service week point.

It appears that setting it to the same as Chromes does indeed work!

for context this is what I had set (and, for quite some time it was working): "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecho/20100101 Firefox/57.0"

Ironically I set this so that I could continue logging in to google. Since I had been unable to log in to google-apps without setting this user agent string.

What did it fail on? the mis-spelling of "Gecho"?

It's the severely-outdated Firefox version number. Spambots and crawlers sometimes have user-agent strings corresponding to very old browsers, because they were set once when the bot was created and then never updated. On an unrelated site that I run, we get a lot of traffic with user agent strings corresponding to implausibly-old browsers, and it's ~100% bots.

November 2017 is “severely outdated”?


Two full years for an evergreen web browser, which contains probably the largest surface area for software exploits of anything on the machine? I’d argue absolutely yes.

As others have echoed, this is probably a huge marker for malicious bots to Cloudflare.

The evergreen browser is a thing, but the idea that everyone can trivially upgrade those browsers is promulgated as true when it's a bit of a myth.

It is sometimes expensive for people to upgrade browsers, called evergreen by developers so they can avoid annoying support expenses for a few percent of people.

I had a phone running a Mozilla browser, which received updates until it didn't any more.

Then the only way to upgrade browser was to purchase a new smartphone.

Unfortunately it was a superb device with no newer replacement, so to upgrade browser I had to downgrade my smartphone for other uses, and pay the cost of an expensive new smartphone despite not really wanting one. But sites saw it as "you are running an old Firefox, you obviously can trivially upgrade".

I still have a perfectly great old Android tablet running an old version of Chrome which cannot be updated. Other than website compatibility, everything on it that it is used for is still working flawlessly. Perfect screen, sound, wifi, memory, battery.

For now, enough sites work on it that I still use it. That can be replaced easily with another tablet, but it is disappointing to have to spend cash and throw away a working product to e-waste, just to replace it with a functionally identical device because of the way the software treadmill works. (It doesn't have to work like that, it's a choice made by developers collectively.)

Yes, plus one of FF's upgrade slipped in the change that ignored your setting on "allow unsigned extensions" which broke a vital UX app I had been maintaining after it got abandoned (pentadactyl: I had gotten so used to clicking links from the keyboard that it was really frustrating when I suddenly couldn't; fortunately there have been similar projects since that carried the torch).

I mean, they said they gave long notice for the change, but I didn't think that a browser that "empowered users" and "gave them control of their machines" would ever do that. I mean, if every change has to be approved by Mozilla, why not just shrink wrap the browser and make me get it from Microsoft at Best Buy?


Even a month of no updates to browser is a bad idea.

Between the huge and complex attack surface and being exposed to a huge number of untrusted websites, running a browser without security updates is pretty risky. So I'd call any unsupported browser "severely outdated".

Long term support (ESR) Firefox releases are supported for about 15 months from release. And even that means using a major version that old, not a point version that old. Firefox 57 wasn't even an ESR, so it went out of support a couple of months after release.

Most certainly, like any complex app that needs to interact with potentially hostile services.

I always recommend setting custom user-agents for a problematic page instead of setting them globally.

For the Google issue, qutebrowser v1.9.0 does that already, see https://github.com/qutebrowser/qutebrowser/issues/5182

So can do Falkon :)

Having a Chrome UA is a MUST on webkit based browsers if you want Google's taxing services such as Earth/Maps/Gmail and so on being faster and smoother than ever. Seriously.

Once you open Street View on luakit/vimb with a Chrome UA, the diff is night and day.

I tried with Street View im vimb. I don't see any difference - it's slow to the point of being almost unusable, while it works fine in qutebrowser.

on ~/.config/vimb/config

    set hardware-aceleration-policy=always

    set webgl=true

That seems to help, but I still don't see a difference with/without a Chrome UA.

Try a mobile Chrome UA, such as the one for a recent Galaxy Tab.

That User-Agent won't trigger the block page you were experiencing.

No clue about the issues with Google, perhaps some feature detection going on?

Nope, it's Google trying to ban "embedded browser frameworks" - see https://github.com/qutebrowser/qutebrowser/issues/5182 for details.

I used straight firefox and was still banned just fine. It didn't start in 2019 either. Chrome is their cash cow, if you don't use it, you're a liability.

I find it very annoying that the authors thought it would be cute to use another full name for MITM.

My wild unfounded guess: they’re trying to make it gender-neutral.

Pretty much. Link to probably the first article I saw using it: https://news.ycombinator.com/item?id=20673409

> It’s the same thing, recognizing that the MITM is neither male, nor human at all.

I don't see why this is important for a technical term. People hear the term as a slug, a group of words, not as discrete ones. No one actually pictures a man or anything else in the middle upon hearing the term. The difference is that the purpose of language is to communicate with others, and everyone understands man in the middle. I look up the "alternative" and get more results for "Henry the Hugglemonster" than I do for network traffic interception.

> No one actually pictures a man or anything else in the middle upon hearing the term.

Thanks, I’ve always wanted someone to mansplain to me how I hear terms and what I picture while I hear them.

I can see both sides of the argument here, but don't really have an opinion. Perhaps if I weren't a middle-aged, middle-class, white male in a Western country, I'd feel more strongly about it. As it is, I do feel a bit of "social justice fatigue" on issues like this.

I set privacy.resistFingerprinting to true in all Firefoxes I use. This also sets the user agent to something common.

At least now people can see why Google want to deprecate the User-Agent string.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact