ua-client-hints icon indicating copy to clipboard operation
ua-client-hints copied to clipboard
verified publisher icon WICG

Extend Sec-CH-UA to include a boolean field to identify if browser requires an update

Open jennacthompson opened this issue 5 years ago • 4 comments

One of the important use cases for the user-agent string is vulnerability filtering (see: https://github.com/WICG/ua-client-hints#vulnerability-filtering). That is, proxy servers are used to verify that users accessing information are not doing so from browsers/devices that are potentially vulnerable to security issues.

It would be useful to have a boolean field that indicates wheher or not the browser requires an update e.g. something like 'Sec-CH-UA-UpdateRequired: True' meaning that they are not running the latest version. Would this be possible? This would provide the necessary information required for vulnerability filtering, while limiting the information shared compared to recieving the full version.

Thanks.

jennacthompson avatar Mar 05 '20 23:03 jennacthompson

This seems like a reasonable addition, which makes me question the need for a full version hint.

/cc @mikewest @amtunlimited @JensenPaul

yoavweiss avatar Mar 06 '20 10:03 yoavweiss

Silly question: would this just be an expiration date sent with each build, or would this require active checking of whatever update method the browser normally uses for things like emergency security bug fixes and the like? Presumably (or not, I suppose, but it's possible) the some of the same reasons the browser has not been updated (eg. blocking upstream, very locked down installations) could block reaching the update servers.

That being said, I like an expired hint, but I don't think it would cover the full version use case.

amtunlimited avatar Mar 07 '20 12:03 amtunlimited

I guess this could be done in various different ways, with one option being an active comparison check against the latest version released for the browser - is that something that can be done?

jennacthompson avatar Mar 09 '20 02:03 jennacthompson

I don't think this would be useful. The main reason is, that this value, instead of any other value, could change over time. Therefore the UA must internally update this value every certain period of time. I see many potential problems with this.

Browsers push out updates very often, most clients take some days to get it, there may be regional delays, maybe it's a phased roll-out, etc. The user agent would need to figure out when to report the binary "yes" or "no". Does it wait a certain time before reporting "no" because it doesn't want to skew your dataset. It surely must be much more important to you to see the really old browsers with many outstanding updates because of many vulnerabilities, right? But what if these updates were all just cosmetic? What if for months updates are only cosmetic because the developers are magicians that don't introduce bugs? What value does a boolean value of "up-to-date" or "out-of-date" have?

Well, then we use this value only to denote if the UA is vulnerable. But this would just be handing the keys to attackers. What should a UA vendor do when it ships an update to fix a responsible disclosure vulnerability? It would basically tell the attackers that there is something, and they should go start looking.

Wouldn't it be much better, if you could design your system to do exactly what you want? Do you want to test for out-dated and vulnerable browsers? You can. Do you want to test for any out-dated browser? You can. Do you want to test for more than 3 years out-dated browser? You can. How? You compare the UA version to a database of exactly the characteristics that you care about yourself. How could a binary "yes"/"no" value reported by the UA tell you exactly what you want for your specific use case? It can't.

Also I don't think it can be relied on the user agent to tell if it needs an update or not. What do you do at the end-of-life? Should you report "no" or "yes"?

If "no", what if two years later vulnerabilities are discovered but nobody goes back now and switches it to "yes"?

If "yes", what if the project is hastily abandoned because the company shut down and they forgot to switch on their update server to send a "yes"? Maybe they don't even have an update server anymore. So then the UA should default to "yes" if it can't reach the update server, right? Well, what if during normal operation the update server experiences an outage and now your UA wrongly reports it needs an update?

I think there are enough problems that make this infeasible, and don't value a new HTTP header that nobody can rely on, because the complexity makes it eventually not be correctly implemented by all UAs in a global and distributed World Wide Web.

The UA should only have to report things that once shipped stay true forever (for itself), like its name, version, etc. Not things that can change over time.

vwkd avatar Oct 07 '20 12:10 vwkd