If someone's out to uniquely identify your activity on the internet, your User-Agent string is going to be the least of your problems.

Not sure what you mean, as exactly this is happening currently on 99% of the web. Brought to you by: ads

If you're browsing with a browser, then there are 1000 ways to identify you. If you're browsing without a browser, then there is at least one way to identify you.

I think what they meant is: there’s already so many other ways to fingerprint (say, canvas) that a common user agent doesn’t significantly help you

'There's so many cliffs around that not jumping off that one barely helps you'.

I meeeeeannn... sure? I know that browser fingerprinting works quite well without, but custom headers are actually a game over in terms of not getting tracked.

UA fingerprinting isn't a problem for me. As I said I only modify the UA for the handful of sites that use Anubis that I visit. I trust those sites enough that them fingerprinting me is unlikely, and won't be a problem even if they did.

I'll set mine to "null" if the rest of you will set yours...

The string “null” or actually null? I have recently seen a huge amount of bot traffic which has actually no UA and just outright block it. It’s almost entirely (microsoft cloud) Azure script attacks.

I was thinking the string "null". But if you have a better idea.

User-Agent: '; DROP TABLE blocked_bots;

If your headers are new every time then it is very difficult to figure out who is who.

yes, but it puts you in the incredibly small bucket of "users that has weird headers that don't mesh well", and makes using the rest of the (many) other fingerprinting techniques all the more accurate.

> If your headers are new every time then it is very difficult to figure out who is who.

https://xkcd.com/1105/

It is very easy unless the IP address is also switching up.

It's very easy to train a model to identify anomalies like that.

While it's definitely possible to train a model for that, 'very easy' is nonsense.

Unless you've got some superintelligence hidden somewhere, you'd choose a neural net. To train, you need a large supply of LABELED data. Seems like a challenge to build that dataset; after all, we have no scalable method for classifying as of yet.

Yes, but you can take the bet, and win more often than not, that your adversary is most likely not tracking visitor probabilities if you can detect that they aren't using a major fingerprinting provider.

I wouldn’t think the intention is to s/Mozilla// but to select another well-known UA string.

The string I use in my extension is "anubis is crap". I took it from a different FF extension that had been posted in a /g/ thread about Anubis, which is where I got the idea from in the first place. I don't use other people's extensions if I can help it (because of the obvious risk), but I figured I'd use the same string in my own extension so as to be combined with users of that extension for the sake of user-agent statistics.

It's also a bit telling that you read the phrase "I took it from a different FF extension that had been posted" and interpreted it as taking advice instead of reading source code.

It's telling that he understands the difference between taking something he can't fully verify and taking simple hints that improve his understanding?

4chan, the worlds greatest hacker

The UA will be compared to other data points such as screen resolution, fonts, plugins, etc. which means that you are definitely more identifiable if you change just the UA vs changing your entire browser or operating system.

I don't think there are any.

Because servers would serve different content based on user agent virtually all browsers start with Mozilla/5.0...

curl, wget, lynx, and elinks all don't by default (I checked). Mainstream web browsers likely all do, and will forever.

Anubis will let curl through, while blocking any non-mainstream browser which will likely say "Mozilla" in its UA just for best compatibility and call that a "bot"? WTF.