X
Tap here to go to the mobile version of the site.

Support Forum

Bank thinks Firefox is old version_"security risks"

Posted

Using Fx 70 in Linux, but before today I spoofed the useragent string to show Win 10.0, hoping for better compatibility. "SFCU" is the only financial institution that ever said (or cared??) my Fx was out of date. They let me log in after clicking, "I understand the risks - continue."

They didn't say which old version they detected, but warned of possible security issues. I doubt there are any, but I have no way of knowing what stupid things their site maintainers / code may do if they detect a really old browser.

I've read there are other ways to sniff the browser than a few "general.useragent..." prefs, but I'm no expert. Doubt they are, either.

They must use a contract vendor to run the site. It's been >> a month since 1st asked them to tell me what they use to sniff the browser, because it was up to date & "general.useragent.override" reflected that. Generally, their IT dept isn't very helpful. I had to call them to tell them to upgrade OpenSSL when the big bug surfaced while back, after ~ 90% of financial institutions had upgraded. They knew nothing of it. Still waiting for a "thanks for your help."

For grins, I entered a science fiction blended UA string just to see what their system would say: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Chrome/74.0.3729.169. Obviously, Chrome doesn't use Gecko engine.

So their site didn't complain about outdated browser or screwy UA string. Their site displayed the same as always. I purposely mixed & matched the string. In fact, I didn't change the UA string back to a valid one yet & this site is displaying OK.

One issue in using any browser in LInux (as useragent string) is a very small pool of users, increasing fingerprint ability. If I found out that most sites (if using desktops) work fine, even if you spoof the OS AND browser, there'd be a much larger group of Windows 10 / Chrome users vs. Linux / Fx users.

Tor Browser spoofs the OS (same for all users) but not the browser. Has anyone ever tried this - recently - to see how many sites broke?

Using Fx 70 in Linux, but before today I spoofed the useragent string to show Win 10.0, hoping for better compatibility. "SFCU" is the only financial institution that ever said (or cared??) my Fx was out of date. They let me log in after clicking, "I understand the risks - continue." They didn't say which old version they detected, but warned of possible security issues. I doubt there are any, but I have no way of knowing what stupid things their site maintainers / code may do if they detect a really old browser. I've read there are other ways to sniff the browser than a few "general.useragent..." prefs, but I'm no expert. Doubt they are, either. They must use a contract vendor to run the site. It's been >> a month since 1st asked them to tell me what they use to sniff the browser, because it was up to date & "general.useragent.override" reflected that. Generally, their IT dept isn't very helpful. I had to call them to tell them to upgrade OpenSSL when the big bug surfaced while back, after ~ 90% of financial institutions had upgraded. They knew nothing of it. Still waiting for a "thanks for your help." For grins, I entered a science fiction blended UA string just to see what their system would say: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Chrome/74.0.3729.169. Obviously, Chrome doesn't use Gecko engine. So their site didn't complain about outdated browser or screwy UA string. Their site displayed the same as always. I purposely mixed & matched the string. In fact, I didn't change the UA string back to a valid one yet & this site is displaying OK. One issue in using any browser in LInux (as useragent string) is a very small pool of users, increasing fingerprint ability. If I found out that most sites (if using desktops) work fine, even if you spoof the OS AND browser, there'd be a much larger group of Windows 10 / Chrome users vs. Linux / Fx users. Tor Browser spoofs the OS (same for all users) but not the browser. Has anyone ever tried this - recently - to see how many sites broke?
Quote

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Chrome/74.0.3729.169

More Information

Koskha 0 solutions 5 answers

I don't understand where is the problem. The bank has probably a JavaScript code or a check on your HTTP header which try to parse the User-Agent. Parsing isn't simple, so they can't know you are mixing gecko with chrome and the script fails probably returning OK to don't mess with unrecognized browsers.

Tor Browser has the same User-Agent string for all, OS and build.

I don't understand where is the problem. The bank has probably a JavaScript code or a check on your HTTP header which try to parse the User-Agent. Parsing isn't simple, so they can't know you are mixing gecko with chrome and the script fails probably returning OK to don't mess with unrecognized browsers. Tor Browser has the same User-Agent string for all, OS and build.

Modified by Koskha

Was this helpful to you?
Quote
cor-el
  • Top 10 Contributor
  • Moderator
17571 solutions 158915 answers

You posted with a weird Google Chrome user agent on Windows 10.

  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Chrome/74.0.3729.169

Any particular reason to use such a user agent apart from fingerprinting ?

You posted with a weird Google Chrome user agent on Windows 10. *Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Chrome/74.0.3729.169 Any particular reason to use such a user agent apart from fingerprinting ?
Was this helpful to you?
Quote

Question owner

@ Koskha - I don't pretend to know what the bank is doing. I do know that when earlier I used a perfectly good useragent string (over several weeks, logging on their site), that listed the latest Fx version, they always "determined" the browser was outdated enough to be a security risk.

@ cor-el & Koskha - when their IT dept. didn't get back to me (after I sent them the useragent string, sniffed by a useragent test site they wanted me to visit, I did an experiment.

My theory was they didn't know what they were doing with browser & OS sniffing. So I made the screwed up useragent string to see if it made any difference - how the bank site displayed or their warning.

The warnings stopped & the site displayed fine, with the wrong browser & the wrong rendering engine for that browser in the UA string.

I didn't change it back before coming here. I can't tell that the same strange UA string affects how this site displays.

I can't tell that it's made a difference on lots of sites I've gone to the last few days. None refused to load or were messed up.

For fingerprinting purposes, I usually list Windows 10 in the string, to be in a much larger group than Linux & Firefox (a very small group).

To be in the largest group of all, I should spoof Win 10 & Chrome browser (though it kinda makes my skin crawl). There might be some problems if sites delivered webkit only content, that Fx might not handle.

So far, I haven't seen that while using this messed up UA string. I don't know why. If some things didn't display right - or at all, it wasn't critical.

@ Koskha - I don't pretend to know what the bank is doing. I do know that when earlier I used a perfectly good useragent string (over several weeks, logging on their site), that listed the latest Fx version, they always "determined" the browser was outdated enough to be a security risk. @ cor-el & Koskha - when their IT dept. didn't get back to me (after I sent them the useragent string, sniffed by a useragent test site they wanted me to visit, I did an experiment. My theory was they didn't know what they were doing with browser & OS sniffing. So I made the screwed up useragent string to see if it made any difference - how the bank site displayed or their warning. The warnings stopped & the site displayed fine, with the wrong browser & the wrong rendering engine for that browser in the UA string. I didn't change it back before coming here. I can't tell that the same strange UA string affects how this site displays. I can't tell that it's made a difference on lots of sites I've gone to the last few days. None refused to load or were messed up. For fingerprinting purposes, I usually list Windows 10 in the string, to be in a much larger group than Linux & Firefox (a very small group). To be in the largest group of all, I should spoof Win 10 & Chrome browser (though it kinda makes my skin crawl). There might be some problems if sites delivered webkit only content, that Fx might not handle. So far, I haven't seen that while using this messed up UA string. I don't know why. If some things didn't display right - or at all, it wasn't critical.
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.