per-domain useragent override is insecure

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
googlefan

per-domain useragent override is insecure

Unread post by googlefan » 2021-02-03, 09:15

... because it overrides the User-Agent header only for the main domain, not for the resources loaded from third-party domains or subdomains.

To verify: create two records in /etc/hosts:

Code: Select all

127.0.0.1 localhost.com
127.0.0.1 malicious-scripts.com
create a new string in about:config

Code: Select all

general.useragent.override.localhost.com
=

Code: Select all

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
create a html file containing a request to the third party domain:

Code: Select all

<!DOCTYPE html>
<html>
<head>
<title>useragent test</title>
</head>
<body>
<script src="http://malicious-scripts.com/exploit.js"></script>
<p>hello</p>
</body>
</html>


and run a webserver serving localhost.com and malicious-scripts.com domains.

Then watch logs:

Code: Select all

GET / HTTP/1.1
Host: localhost.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0

Code: Select all

GET /exploit.js HTTP/1.1
Host: malicious-scripts.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Goanna/4.8 Firefox/68.0 PaleMoon/29.0.0
- the User-Agent override works only for the main domain, but malicious third-party websites will happily serve the necessary payload for your OS version and architecture.

So what is all that
Tobin wrote:moron crap
is about — please, return the global general.useragent.override feature.

Thanks for reading
Attachments
Screenshot_20210203_155746.png
Screenshot_20210203_160002.png

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: per-domain useragent override is insecure

Unread post by Moonchild » 2021-02-03, 09:28

First, it does override for subdomains, so that assertion is wrong.

Second, the purpose of overriding the user-agent string is not to hide your browser identification from anyone, but rather to provide per-site compatibility options for sites that foolishly detect features by way of UA sniffing.

Malicious content scripts would also not rely on doing any sort of detection through an easily-spoofed UA, and more likely though methods that can't be spoofed that easily, like DOM properties. In fact I'd expect them to just assume users are on the most-used operating systems that are vulnerable to begin with, anyway, and not detect anything.

So it's not "insecure", but rather it doesn't allow you to do what you want to abuse it for. No matter how you clad it, it's not its intended use.

You're also assuming the global override is gone -- it's not, and if you want to continue your foolish use of it, you can, if you use the correct preference.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

googlefan

Re: per-domain useragent override is insecure

Unread post by googlefan » 2021-02-03, 09:50

Moonchild wrote:
2021-02-03, 09:28
You're also assuming the global override is gone -- it's not, and if you want to continue your foolish use of it, you can, if you use the correct preference.
Thanks for pointing that out, with a bit of grep I've found the correct preference name — it's network.http.useragent.global_override which effectively overrides the navigator.userAgent property too.

And thanks for your great work!

Fred G

Re: per-domain useragent override is insecure

Unread post by Fred G » 2021-02-05, 21:28

Okay, I'm lost here. I had been using User Agent Switcher, but now with v29 (and I think v28) it doesn't work. Nor does Eclipsed Moon. I've got general.useragent.override set but it doesn't do anything; the browser insists on calling itself Pale Moon. There is nothing in about:config that lets me use network http either, as the previous post suggested. Nothing.
Yes,I'm aware of an extension that lets individual sites be customized. But I use PaleMoon to manage a network full of embedded devices which now have been changed by their manufacturer to demand chrome, firefox, or edge. Override strings work though. And there are hundreds of such devices, accessed only by IP address (no DNS names, not on the public Internet either), so I can't play games per site.j
If there is no general override capability left then I will have to abandon Pale Moon for good and find another second browser that can share my LastPass library to sit next to Firefox and not phone home on every query like Chrome.

New Tobin Paradigm

Re: per-domain useragent override is insecure

Unread post by New Tobin Paradigm » 2021-02-05, 22:06

Fred G wrote:
2021-02-05, 21:28
[OBVIOUSLY DID NOT READ A DAMN THING POSTED IN THIS THREAD]
Maybe you should consider another browser. One that doesn't require you to read, think, and comprehend.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: per-domain useragent override is insecure

Unread post by Moonchild » 2021-02-05, 22:40

Really, seriously, 100s of embedded devices that require by manufacturer that they use the browser conglomerate? Which devices are these?
If you have (obviously paid for) that many devices, and it doesn't allow you to manage them because of an arbitrary UA check, then you should consider playing the "hey I'm a paying customer, don't lock me out of my own property" card.
But otherwise? You are probably better off using a mainstream browser if you don't want to deal with whatever vendor and their restrictions, and consider hiring someone who can manage your network for you and give some damn names to devices if you have that many. All it takes is a local DNS server (and that can run on a RasPi or what not) and then you can simply override based on whatever local domain you choose for them with a single SSUAO.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Fred G

Re: per-domain useragent override is insecure

Unread post by Fred G » 2021-02-05, 23:12

Moderator note: Unnecessary hostility redacted.
Well well, I really did bring out the trolls! [REDACTED]
In this particular case I'm working with a major vendor of radio equipment, a good one, not that I'll drag them in by name. Yes, they made a poor decision to start checking browser strings. But they sell thousands and thousands of devices a year, and no one customer, at least my size, is going to tell them what to do. And their executives do know me; I do work with them on some critical issues. That will not get them to change their product, they'd laugh if I asked them to change so that I could use PaleMoon, and in any case that wouldn't work until a new release rolled back that browser-checking change. Also, DNS won't help as we are dealing with private network devices whose numeric names (what you call IP addresses) actually do encode their identity better than DNS. I don't personally own networks; I do design and management for the owners.
[REDACTED]. PaleMoon used to be really good, as it preserved the best of old Firefox as Mozilla was going astray, but it's turning into a [REDACTED][REDACTED][REDACTED][REDACTED]

New Tobin Paradigm

Re: per-domain useragent override is insecure

Unread post by New Tobin Paradigm » 2021-02-05, 23:50

Wow, just wow. What a massive over reation to a trivial consern that was already answered before you decided to make your first post in nearly three years.

Simply stunning the level of hate you have for us for pointing out not only the fact you didn't bother reading or couldn't be bothered to comprehend that your answer was already handed to you on a silver platter but we didn't bow in respect to your frankly ridiculous and highly edge case scenario.

I can't think of a decent reason an embedded device should be discriminating against your choice of browser but oh well.

Still do you have to freak the hell out when challenged? Why? To justify a decision you have already made so you can feel better about yourself and the situation you find your self in?

Pretty petty isn't it? But rest assured, you have succeded in not providing any incentive to help you let alone listen to you from here on out since any constructive discourse is obviously not possible at this juncture.

Do feel free to go spread your selfish hate filled venom over at the sub-reddit though. They recently banned me for no reason so I won't be able to challenge you in that space. You are safe there.

Good day, sir.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: per-domain useragent override is insecure

Unread post by Moonchild » 2021-02-06, 00:30

Fred G wrote:
2021-02-05, 23:12
no one customer, at least my size, is going to tell them what to do
Not listening to your customers tends to be a fatal mistake for businesses long term.
Fred G wrote:
2021-02-05, 23:12
DNS won't help as we are dealing with private network devices whose numeric names (what you call IP addresses) actually do encode their identity better than DNS.
Total nonsense.

... now i could actually give more primers as to how to solve this with DNS without needing to make any changes to the devices or touching their holy grail embedded firmware, or in any way reducing the identity granularity in the network, but i'll be damned if I'm going to provide any help after what you spouted in your reply. You're on your own buddy.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked