Aurornis
12 hours ago
> One tanh call on the right input is a per-OS signature. Claim macOS, return Linux math bits, and you have contradicted your own User-Agent.
They (or rather the LLM that wrote this) missed that this is possibly fingerprintable to browser version range, which is slightly more interesting. Most users aren't spoofing their user agent headers to be a different operating system. Most fingerprinting solutions aren't trying to infer your operating system, they only care about semi-unique things that show up.
It's an interesting finding. I wish they had taken some time to have a real person write it up. This is too heavily LLM written to ignore.
comex
11 hours ago
This can be used to fingerprint version range, but so can a million other things. Browsers are constantly adding new features and fixing bugs, most of which can be detected from JavaScript.
joahnn_s
11 hours ago
You can only assert >148 at the moment, but there are better vectors to strictly assert the version by simply checking the addition of v8/blink on each chromium version (and since ~120 it's the case), so by checking if xxx is present and yyy is not present in js userland or css feature, the inference is 100% for the major version
And for the LLM writing, yes, it's written in the article and blog, it's not hidden or pretending, otherwise I would never publish an article due to lack of time, and I stand by it
biofunsf
7 hours ago
In your old comment (which i remembering seeing at time), you seem to recommend scrapy.io and highlight its benefits without disclosing that you're behind it: https://news.ycombinator.com/item?id=46088621
seems like the "they" you meant was really "I".
Arch-TK
10 hours ago
It takes less time to write the prompt, you could just publish that?
It's an important topic, and I am glad you wrote about it, but even half a page of notes would have been enough to convey this. It would save me literally skim reading headings just to get past all the fluff.
rootusrootus
8 hours ago
Isn’t “just post the prompt” a joke? That only works if the content was one-shot, and I bet that (much like code) most isn’t.
phyzome
8 hours ago
Do what people did before there were LLMs: Just post the data and some quick notes. It's fine, people appreciate the brevity.
Disclosing is great, but not as good as just using your own human voice.
georgemcbay
11 hours ago
> otherwise I would never publish an article due to lack of time, and I assume
Didn't even have time to finish their HN reply.
userbinator
11 hours ago
The LLM has a good point. I personally don't care what or who wrote it if it's true.
jeroenhd
12 hours ago
> Most users aren't spoofing their user agent headers to be a different operating system.
The people behind the LLM behind this blog post are. They're trying to pretend their robots are people to sell other websites' data to their customer. It's easier to pass bot detection gates if you pretend to be a physical machine running Windows or macOS than if you honestly admit you're using Linux on a VM.
acters
11 hours ago
It's sometimes easier to lie than to tell the truth, and being on Linux telling the truth gets me more scrutiny than those pretending to be legit.
genxy
5 hours ago
Same as sites the block "wget" as a user agent, but then you can pass in a -U "Cheetos/10" and sail right in.
I'd be fine if they throttled the connection, or a contact page. Every little bit helps build a high trust society.
nradov
10 hours ago
The HTTP User-Agent header was a mistake from the beginning. There is no legitimate need for the server to know what software the client is (or claims to be) running.
parasense
9 hours ago
It certainly wasn't a mistake in the beginning, but it's certainly a mistake now.
thaumasiotes
6 hours ago
It was a mistake in the beginning too. If you want to serve different content to different people, you use two different URLs. There's never a valid case for doing it while hiding it from the user.
sroussey
5 hours ago
No, that misses the whole point of content negotiation (for language, et al). In the age of search engines though, different urls are often perferable.
1vuio0pswjnm7
6 hours ago
"The HTTP User-Agent header was a mistake form the beginning."
User-Agent spoofing was added to NCSA Mosaic in 1996. The public www was three years old and text-only clients were still in widespread use
https://raw.githubusercontent.com/alandipert/ncsa-mosaic/mas...
NCSA Mosaic is the early graphical browser that begat Netscape Navigator that begat Firefox. Later came Internet Explorer, Safari, Chrome and so on
What was the point of spoofing in 1996
Maybe it was just for fun, judging by the examples in the "mosaic-spoof-agents" file
As a matter of practice, by default I do not send a user-agent header. I only send the minumum headers required. For me, that's almost always 1-2 for GET and 4 for POST
For the vast majority of websites I have accessed,^1 this header minimisation has zero effect on the success of the HTTP request
1. For example, I have used a database of sites submitted to HN as way to test if header minimisation affects HTTP request success
Generally I do not use a web browser to make HTTP requests. I perform text processing on the HTML, JSON or whatever is returned, using custom utilities. I store information in SQLite. I read this information as plain text, preferably 7-bit ASCII. I dislike UTF-8
Onlilne debates about "browser fingerprinting" always seem to focus on trying to "blend in", e.g., via "spoofing"
As such, because browser continue to get more bloated with "features", online commenters argue in favor of sending more and more data points to servers that can be used to create a fingerprint instead of reducing the amount of data sent
Because, according to their reasoning (or lack thereof), sending less data would "stand out"
True, but it's generally easier to "spoof" a client that sends less data than one that sends more. And the number of sites that require a user-agent header is still smaller than the number that don't
Ferret7446
6 hours ago
There is actually/obviously. It lets you identify bugs in well meaning clients. e.g. you can identify if IE v1.2.3 isn't handling form submissions correctly. It lets you serve content that works for clients with known issues or limitations.
chrismorgan
5 hours ago
When distributing software, it’s very useful to know which OS and which architecture the user is on in order to present them with the appropriate file.
esrauch
10 hours ago
I feel like this is with 2026 view where browsers are so mutually compatible.
In the bad old days there were so many differences between html, css and js behaviors that if you wanted your site to be nice you had to change it for the browser. The way css padding worked wasn't even the same. Feature detection was rarely viable for any of this.
No user agent would probably have only entrenched IE6 dominance even more by blocking you from deliberately making a site that works at all on other browsers (including IE7 for that matter)
nradov
9 hours ago
I'm aware of that history and the User-Agent header was a mistake even back then. It took the pressure off of browser vendors and gave them an excuse to not fix their bugs.
tyami94
8 hours ago
road to hell is paved with good intentions. one could argue it would've made browser vendors fix their bugs, but with the side-effect that any behavior that isn't bug-compatible with IE becomes a bug. this would've ironically entrenched IE permanently.
smaudet
7 hours ago
The mistake was not claiming features rather browser client versions...
JS devs were kinda able to patch around the nonsense because they were able to feature-detect - part of the reason this stuck around was because no legitimate user or dev cared (or should care). But the header was mostly (useless) noise, and the people spoofing were dealing with the couple bad apples of the time.
Of course, defining features is easier said than done, and a standards body is a challenging environment to define these in...
I get why people are fingerprinting bots and others are working around it, but neither are "legitimate" applications - if your content is public, it's public, end of story. And working around these controls to sell botnet access to sites is equally illegitimate - nobody has a right to resell content they do not own...
esrauch
an hour ago
I just can't see how it could make sense to define features when a ton of the the behavior wasn't even intentional but just tons of bugs. I recall debugging issues that only reproduced in "IE7 compatibility mode of IE8" which didn't reproduce in either IE7 or IE8. And that was already after the standards were taken at all seriously
saghm
4 hours ago
And you can see how well that worked by how many user-agents are such a sane, terse description of the browser rather than a hodgepodge of random words that give the impression that they're trying to seem like every browser at once.
14113
9 hours ago
> I feel like this is with 2026 view where browsers are so mutually compatible.
I wish this was the case. Unfortunately, companies that work on non-Chromium browsers need to employ dedicated web compatibility teams to either a) help website users fix non-standard (i.e. Chrome only) HTML/CSS/JS, or b) replicate Chromium-like behaviour for specific (very popular) websites so that they work "correctly".
There's also the websites that deliberately block certain browsers which is what tools like "chrome-mask"[1] are built to solve.
[1] https://addons.mozilla.org/en-GB/firefox/addon/chrome-mask/
zx8080
8 hours ago
Infinite captcha welcomes those who are using FF and linux on stackoverflow. Easier to skip its links in search results than waste time solving it (captcha never finishes).
baby_souffle
10 hours ago
Some scrape activity happens because I can't obtain the data any other way. I would be thrilled if certain retailers had price and availability data as an API so I could not bother with the bulk of scrape and process.
greggsy
6 hours ago
As much as I would like pricing APIs as well, the economics don’t add up for retail, and it would effectively lead to a scalper’s market.
A regular Joe consumer shouldn’t have to learn python to get thier foot in the door because some arbitrage purchaser has automated a ‘best deal’ purchasing bot based on real time pricing APIs.
vlovich123
9 hours ago
This tanh approach won’t tell you if you’re in a VM - it’ll report the guest OS
reactordev
11 hours ago
The Internet is a cesspool of scams now
pocksuppet
11 hours ago
scraping, however, is not intrinsically a scam.
mplewis
11 hours ago
It is when you're doing it like the LLM companies are: at scale, to the degree that you're taking down my site, without my consent by masking your user-agent, for the purpose of stealing data I didn't authorize you to have.
matheusmoreira
9 hours ago
> at scale, to the degree that you're taking down my site
Fair. Scrapers should be polite and do their utmost to consume the smallest possible amount of resources.
> without my consent by masking your user-agent
Your consent is not required. It's my user agent. I set it to whatever I want.
> for the purpose of stealing data I didn't authorize you to have
Data can't be "stolen", only copied.
You set up an HTTP server that literally sends people the data when they request it. Don't do that if you don't want people to have the data. Secrecy is the only possible defense.
oasisbob
4 hours ago
> Data can't be "stolen", only copied
Though, scrapers can certainly steal capacity through conversion for their own use. When they do so, they permanently deprive the site owner and other users the beneficial use of that capacity at that time.
I'm speaking morally, not legally. Though, in the US at least, there are parallels with free newspapers. You're allowed to take one for free. It's not legal to clear the whole rack.
lixtra
8 hours ago
> You set up an HTTP server that literally sends people the data when they request it. Don't do that if you don't want people to have the data.
By the same argument I could say: If I send you an exploit and you execute it, don’t complain that your setup fell for it. Just don’t download and run random data from the internet.
In reality there’s a consent and expectation beyond the pure technicals.
matheusmoreira
8 hours ago
> Just don’t download and run random data from the internet.
I don't. I go out of my way to filter everything. Scraping is but one of the tools I use to do it. I want just the data that I actually care about, not people's javascripted hot mess websites full of malware-vectoring ads, fingerprinting and tracking.
I don't let my computers talk to strangers either. My servers don't respond to just anyone, they only reply to me, and only after I've cryptographically authenticated. When others try to talk to them it's like they're not even there.
But people want their computers to talk to strangers, don't they? They want to serve pages and pages of ads to massive audiences. Unlike your exploitation example, nobody's actively invading their computers and exfiltrating data. Breaking into someone else's computers and dumping their private databases is one thing. We're just requesting the exact same data that they're more than happy to send out to literally anyone who shows up with a browser, through the exact same channels even. So I really have no sympathy.
Bender
10 hours ago
I documented some crude methods that can stop most of that without a CDN. [1] There will be some false positives so I guess it depends on ones priorities which methods if any to implement or test on a throw-away test site. Not perfect, nothing is. I am watching hundreds of bots sending SYN's and the daemons are oblivious to them. The only method I have not played around with yet is #7 ssl fingerprinting.
There are additional methods I chose not to document such as limiting access to logged in accounts that require double-opting-in to acceptable use policies and terms of use, not that most scrapers would give a toss. That it too much whack-a-mole for me personally. That method requires progressively adding friction to account creation and that comes with some pros and cons.
[1] - https://nochan.net/b/Internet-Crap/20260606-How-To-Block-Som...
parasense
9 hours ago
I think the key word was "intrinsically".
It's like public photography, it's intrinsically legal, except when it's a Flock camera and then it's suddenly an invasion of privacy.
nativeit
9 hours ago
A Flock camera isn’t an invasion of privacy. Fleets of hundreds or thousands of Flock cameras feeding into a massive dataset is definitely an invasion of privacy, and hardly sudden.
tadfisher
8 hours ago
More precisely: pinpointing you at a given place and time does not need a warrant. Collecting many such pinpoints, allowing authorities to reconstruct your exact movements at some point in the future (without needing to flag you or issue a BOLO or whatever), does.
lsaferite
11 hours ago
Unfortunately the response to that right now is to nuke everything that isn't within a strict set of constraints. That helps with the bad bulk-scrapers, but hits everyone else as well as collateral damage.
VorpalWay
11 hours ago
Something like Anubis in front of the server to protect it might be an option. It sucks that we have to resort to that yes, but it seems the least bad option currently (better than the entire internet going through Cloudflare at least).
flexagoon
10 hours ago
You can just use one line of JS instead
userbinator
11 hours ago
The idiotic "stealing" argument again? At least use "piracy" if you want to be correct...
The moment you openly publish information on the Internet, you have already given consent. There are other solutions to bandwidth usage.
User-agent discrimination should be illegal. All it does is further the control that Big Tech has, and help authoritarian governments with their control too.
pdpi
10 hours ago
As with anything IP-related, the data is licensed under whatever terms you choose to impose. That’s the extent of the consent you’ve provided.
Asraelite
10 hours ago
Permission to access is not the same as permission to use.
matheusmoreira
9 hours ago
> User-agent discrimination should be illegal.
Couldn't agree more. Nonsense like remote attestation too. If this discrimination persists, it will lead to the destruction of what little computing freedom we still have.
nradov
10 hours ago
What data is being stolen? Are you referring to copyright violation or something else? If you don't want LLM companies to scrape a site then just restrict access to authorized users. Simple.
kdheiwns
6 hours ago
This is the same mindset of criminal in a low trust society btw
"If you didn't want me to do this, you should had a fence/cameras/security guards. You shouldn't have dressed like that. You shouldn't have put your phone in that pocket."
Excusing trillion dollar corporations like low level criminals is embarrassing. Society shouldn't have to lock itself up because bad actors are spreading everywhere. The bad actors should just be removed.
nradov
6 hours ago
Relax buddy, it's just HTTP requests. They're not stealing your phone.
jeroenhd
2 hours ago
That's what's being done, isn't it? Fingerprinting technologies and proof of work are trying to authorize people and block bots. Unfortunately, companies like these are trying to bypass the authorization controls.
If these scraping companies would respect some kind of X-Scraping-Permitted header, this whole process would be a lot better, but that's not going to happen in an industry that has already normalized using botnets.
duped
10 hours ago
No it's just intrinsically antisocial behavior
GaryBluto
10 hours ago
Scraping has never "intrinsically" been anti-social behaviour, you just don't like it.
d1ss0nanz
11 hours ago
Always was.
Mistletoe
10 hours ago
Has the internet made the average human’s life better? As someone that lived in both eras I have to say no. If you want to improve humanity greatly and prevent currently 8.3 billion people’s misery and counting, you build a time machine and prevent Tim Berners-Lee from inventing it in the first place. But it wouldn’t help, because someone else would still invent this torture nexus of hyperconnected human minds.
matheusmoreira
9 hours ago
The internet was amazing before the big techs started centralizing everything, before governments started fragmenting it into censored regional networks...
cookiengineer
6 hours ago
Fun fact that will blow your mind:
Microsoft decided to send Windows NT 10.0 in the User-Agent header even on Windows 11 for compatibility reasons. That's literally the reason why the Sec-CH-* headers say Windows 11 but the User-Agent says Windows 10.
And regarding your claims of vendor interests: Nope, you seemingly never had to use O365 crapware on Linux browsers. They make it as painful as possible, and even disable copy/paste functionality when your User-Agent and Sec-CH headers say Linux. Identical browser with an extension that overrides the fingerprinting headers and it works perfectly.
Also as an additional note: Cloudflare does TCP fingerprinting, because no cloudflare pages will work (and send you into an infinite loop of unsolvable captchas) when these headers mismatch with the tcp window and other options in the handshake frames.
Source: am maintaining my chromium-profiles tool that generates farbled profiles with a generated extension, so that I can use shitty Microsoft products because my customers are not really the smartest policy decision makers.
PS: I will never use a separate laptop with a separate OS to use a damn web app. That is a completely unjustified waste of hardware resources and should be illegal. But here we are. Wasting one laptop at a time for absolutely no reason.