Re­cently in­creased con­cern about user’s pri­vacy is ob­served in vari­ous parts of the in­ter­net. EFF states that sites are able to pin­point an user with high ac­cur­acy just from head­ers sent with every re­quest without ac­tu­ally keep­ing any per­sist­ent data, like cook­ies, in user’s com­puter1. Some para­noid people find it to be a prob­lem.

One quiet even­ing real­isa­tion came that there’s no way all those head­ers are com­puls­ory to use the HTTP pro­tocol. I was pleas­antly sur­prised to find that the only header re­quired for HTTP/1.1 is Host while HTTP/1.0 does not need any at all! An idea to try brows­ing the in­ter­net without send­ing an User-Agent was born that even­ing.

Given how widely User-Agent sniff­ing sur­faces in dis­cus­sions about browser fea­ture de­tec­tion I was rather pess­im­istic about this ex­per­i­ment. I’m glad to be proven wrong – most of the web­sites work without bat­ting an eye. I even have had star­ted a quest of find­ing one which would ac­tu­ally fail – some­body has to use UA de­tec­tion some­where, right?

The first one to dis­ap­point, after a whole day of brows­ing, was Bak­aBT – a half open tor­rent track­er. The second find­ing was Google Mail which sur­prised me quite a bit. I visit You­tube and Picasa Web con­sid­er­ably more of­ten than any other Google ser­vice and they dealt with miss­ing User-Agent fine, so I as­sumed other Google’s ser­vices would too. An­other in­ter­est­ing find­ing was that Google seems to save browser ver­sion or some re­lated data in cook­ies so their ser­vices star­ted fail­ing only after a browser re­start.

After dis­cov­er­ing that Mail fails, I star­ted check­ing all other Google ser­vices to see if they failed too – mostly with sad­den­ing res­ults.

Ad­min Con­trol Panel dis­plays Loading… forever be­cause it is un­able to fetch a single JavaS­cript file named undefined.cache.js.

Open­ing Drive front page simply com­plains about file not ex­ist­ing, which is a bit strange as I was­n’t open­ing any file. Open­ing links to shared files does work though. From the pre­view screen one can then cre­ate a simple doc­u­ment.

Maps ap­plic­a­tion loads fine, but map tiles fail to down­load with HTTP 403 (?vector=1, which sup­posedly en­ables WebGL maps did­n’t work as well). Treas­ure mode works though.

Such minor mis­takes render these ser­vices com­pletely un­us­able. There’s some that fail more grace­fully:

All in all, if you care about pri­vacy and use some­thing else than Google, brows­ing without send­ing User-Agent is feas­ible. In case you prefer Google, then it’s not like you care about your pri­vacy after all, do you?

A list of web­sites I found to fail dur­ing my short ex­per­i­ment:

  1. Read more about fin­ger­print­ing on Wiki­pe­dia or this guide.↩︎