Why does Nortons Internet Security remove user agents from http requests?

Does anyone have any idea why Norton’s Internet Security program would filter out your user-agent details for security reason? I guess I can see an argument for hiding the referer if it was from an external site (even though I know I’m not going to do anything email with it like spread rumours that was surfing dodgy sites before they came to me), but I can’t see how not telling the site what platform you’d like the information for could make you any safer.

The only thing I could think of is that knowing your user agent makes you easier to attack, but I think that logic is pretty flawed because there are more reliable ways to find out what browser someone is using (ie. seeing what javascript methods are available). The fact is that if you’re using a major browser it’s more likely to have known vulnerabilities and if you’re using an unknown browser you’re probably using linux.

You can’t really be anonymous on the internet because as long as you want to talk to me I need to know where you are on the internet. Norton can’t filter out your IP address and as long as I know that I know far more about you (yes all of you) than I’d know by knowing what sort of browser you use. I’m not really nefarious enough to think of what I could do with that information, but there are some really clever nefarious people out there and I’m sure they’re writing code right now to use your IP address to do dreadful things.

This tiny little thing frustrates me because I’m a web developer and I know that user-agents are used by heaps of web developers to make user’s experience better by serving up content that’s optimised for their browsers (as opposed to spying on them – mostly anyway).

A lot of these developers really care about the user’s experience on their website and go to extraordinary lengths to make it as compelling as possible. To me the slight increase in security gained by concealing the user agent doesn’t seem to be worth missing out on this work.

It’s the people using the websites who lose out because it’s not the web developer who can’t use the website or get to the information. It’s not the web developer who misses out on the time saving javascript features or the beautiful layout. It’s the users who miss out and they miss out because the web isn’t as good as it could be.

I know some people like to run around claiming that we webbies are a selfish bunch because we’re always on about things like standards compliance and multiple levels of backgrounds in html elements whenever a new version of a browser is going to come out rather than things like tabbed browsing that the users can actually see. The only reason we want these things is because they help us build better websites and the people who benefit from better websites are the people who use them.

Posted on 02 Mar 06 by Helen Emerson (last updated on 02 Mar 06).
Filed under Web development