Bank thinks Firefox is old version_"security risks"
Using Fx 70 in Linux, but before today I spoofed the useragent string to show Win 10.0, hoping for better compatibility. "SFCU" is the only financial institution that ever said (or cared??) my Fx was out of date. They let me log in after clicking, "I understand the risks - continue."
They didn't say which old version they detected, but warned of possible security issues. I doubt there are any, but I have no way of knowing what stupid things their site maintainers / code may do if they detect a really old browser.
I've read there are other ways to sniff the browser than a few "general.useragent..." prefs, but I'm no expert. Doubt they are, either.
They must use a contract vendor to run the site. It's been >> a month since 1st asked them to tell me what they use to sniff the browser, because it was up to date & "general.useragent.override" reflected that. Generally, their IT dept isn't very helpful. I had to call them to tell them to upgrade OpenSSL when the big bug surfaced while back, after ~ 90% of financial institutions had upgraded. They knew nothing of it. Still waiting for a "thanks for your help."
For grins, I entered a science fiction blended UA string just to see what their system would say: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Chrome/74.0.3729.169. Obviously, Chrome doesn't use Gecko engine.
So their site didn't complain about outdated browser or screwy UA string. Their site displayed the same as always. I purposely mixed & matched the string. In fact, I didn't change the UA string back to a valid one yet & this site is displaying OK.
One issue in using any browser in LInux (as useragent string) is a very small pool of users, increasing fingerprint ability. If I found out that most sites (if using desktops) work fine, even if you spoof the OS AND browser, there'd be a much larger group of Windows 10 / Chrome users vs. Linux / Fx users.
Tor Browser spoofs the OS (same for all users) but not the browser. Has anyone ever tried this - recently - to see how many sites broke?
All Replies (3)
I don't understand where is the problem. The bank has probably a JavaScript code or a check on your HTTP header which try to parse the User-Agent. Parsing isn't simple, so they can't know you are mixing gecko with chrome and the script fails probably returning OK to don't mess with unrecognized browsers.
Tor Browser has the same User-Agent string for all, OS and build.
Okulungisiwe ngu Koskha
You posted with a weird Google Chrome user agent on Windows 10.
- Mozilla/5.0 (Windows NT 10.0; Win64; x64) Gecko/20100101 Chrome/74.0.3729.169
Any particular reason to use such a user agent apart from fingerprinting ?
@ Koskha - I don't pretend to know what the bank is doing. I do know that when earlier I used a perfectly good useragent string (over several weeks, logging on their site), that listed the latest Fx version, they always "determined" the browser was outdated enough to be a security risk.
@ cor-el & Koskha - when their IT dept. didn't get back to me (after I sent them the useragent string, sniffed by a useragent test site they wanted me to visit, I did an experiment.
My theory was they didn't know what they were doing with browser & OS sniffing. So I made the screwed up useragent string to see if it made any difference - how the bank site displayed or their warning.
The warnings stopped & the site displayed fine, with the wrong browser & the wrong rendering engine for that browser in the UA string.
I didn't change it back before coming here. I can't tell that the same strange UA string affects how this site displays.
I can't tell that it's made a difference on lots of sites I've gone to the last few days. None refused to load or were messed up.
For fingerprinting purposes, I usually list Windows 10 in the string, to be in a much larger group than Linux & Firefox (a very small group).
To be in the largest group of all, I should spoof Win 10 & Chrome browser (though it kinda makes my skin crawl). There might be some problems if sites delivered webkit only content, that Fx might not handle.
So far, I haven't seen that while using this messed up UA string. I don't know why. If some things didn't display right - or at all, it wasn't critical.