You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Gary Gregory <ga...@gmail.com> on 2018/03/29 22:20:15 UTC
[httpclient] Better user agent header?
Hi All:
Right now, the HttpClient is of the form:
User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_162)
With the stack I am working with, it would be handy if the header reflected:
- The Java vendor
- Operating system name and version.
For example:
User-Agent: Apache-HttpClient/4.5.5 (Oracle Corporation/Java/1.8.0_162)
Windows/10.0 (amd64)
Any thoughts for or against adding this to the user agent string?
Gary
Re: [httpclient] Better user agent header?
Posted by Gary Gregory <ga...@gmail.com>.
Dang, my bad. Sorry about that.
Gary
On Fri, Mar 30, 2018 at 10:47 AM, Oliver Heger <oliver.heger@oliver-heger.de
> wrote:
> Wrong mailing list, guys?
>
> Http Client is not part of Apache Commons.
>
> Oliver
>
> Am 30.03.2018 um 18:44 schrieb Mark Thomas:
> > On 30/03/18 12:22, ajs6f wrote:
> >> For at least some cases, this wouldn't be good for security.
> >
> > That is debatable.
> >
> > Providing exact version information is highly unlikely (I almost wrote
> > impossible but never say never) to create a vulnerability.
> >
> > It might make a vulnerability more obvious but if the client is
> > vulnerable, it is vulnerable whether or not the version information is
> > provided.
> >
> > Trying to hide the version information (it may be exposed indirectly
> > elsewhere) is security by obscurity which is no security at all.
> >
> >
> > The key question for me is does the client OS or Java version matter?
> > Why might this information be useful to a sever?
> >
> >
> > I do have a privacy concern. As a user I may not wish to expose my
> > choice of JRE or OS to the server.
> >
> >
> > My default position would be not to send it at all. Depending on the
> > answer to "How is this info useful?", I could be persuaded to support
> > making it optional, possibly even present by default.
> >
> > Of course, all of this is from the peanut gallery as I haven't
> > contributed to this component and am unlikely to do so any time soon.
> >
> > Mark
> >
> >
> >> I would prefer that this be configurable (via HttpClientBuilder and/or
> > system props) and not the default.
> >>
> >> ajs6f
> >>
> >>> On Mar 29, 2018, at 6:20 PM, Gary Gregory <ga...@gmail.com>
> wrote:
> >>>
> >>> Hi All:
> >>>
> >>> Right now, the HttpClient is of the form:
> >>>
> >>> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_162)
> >>>
> >>> With the stack I am working with, it would be handy if the header
> reflected:
> >>>
> >>> - The Java vendor
> >>> - Operating system name and version.
> >>>
> >>> For example:
> >>>
> >>> User-Agent: Apache-HttpClient/4.5.5 (Oracle Corporation/Java/1.8.0_162)
> >>> Windows/10.0 (amd64)
> >>>
> >>> Any thoughts for or against adding this to the user agent string?
> >>>
> >>> Gary
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: dev-help@commons.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: [httpclient] Better user agent header?
Posted by Oliver Heger <ol...@oliver-heger.de>.
Wrong mailing list, guys?
Http Client is not part of Apache Commons.
Oliver
Am 30.03.2018 um 18:44 schrieb Mark Thomas:
> On 30/03/18 12:22, ajs6f wrote:
>> For at least some cases, this wouldn't be good for security.
>
> That is debatable.
>
> Providing exact version information is highly unlikely (I almost wrote
> impossible but never say never) to create a vulnerability.
>
> It might make a vulnerability more obvious but if the client is
> vulnerable, it is vulnerable whether or not the version information is
> provided.
>
> Trying to hide the version information (it may be exposed indirectly
> elsewhere) is security by obscurity which is no security at all.
>
>
> The key question for me is does the client OS or Java version matter?
> Why might this information be useful to a sever?
>
>
> I do have a privacy concern. As a user I may not wish to expose my
> choice of JRE or OS to the server.
>
>
> My default position would be not to send it at all. Depending on the
> answer to "How is this info useful?", I could be persuaded to support
> making it optional, possibly even present by default.
>
> Of course, all of this is from the peanut gallery as I haven't
> contributed to this component and am unlikely to do so any time soon.
>
> Mark
>
>
>> I would prefer that this be configurable (via HttpClientBuilder and/or
> system props) and not the default.
>>
>> ajs6f
>>
>>> On Mar 29, 2018, at 6:20 PM, Gary Gregory <ga...@gmail.com> wrote:
>>>
>>> Hi All:
>>>
>>> Right now, the HttpClient is of the form:
>>>
>>> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_162)
>>>
>>> With the stack I am working with, it would be handy if the header reflected:
>>>
>>> - The Java vendor
>>> - Operating system name and version.
>>>
>>> For example:
>>>
>>> User-Agent: Apache-HttpClient/4.5.5 (Oracle Corporation/Java/1.8.0_162)
>>> Windows/10.0 (amd64)
>>>
>>> Any thoughts for or against adding this to the user agent string?
>>>
>>> Gary
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [httpclient] Better user agent header?
Posted by Mark Thomas <ma...@apache.org>.
On 30/03/18 12:22, ajs6f wrote:
> For at least some cases, this wouldn't be good for security.
That is debatable.
Providing exact version information is highly unlikely (I almost wrote
impossible but never say never) to create a vulnerability.
It might make a vulnerability more obvious but if the client is
vulnerable, it is vulnerable whether or not the version information is
provided.
Trying to hide the version information (it may be exposed indirectly
elsewhere) is security by obscurity which is no security at all.
The key question for me is does the client OS or Java version matter?
Why might this information be useful to a sever?
I do have a privacy concern. As a user I may not wish to expose my
choice of JRE or OS to the server.
My default position would be not to send it at all. Depending on the
answer to "How is this info useful?", I could be persuaded to support
making it optional, possibly even present by default.
Of course, all of this is from the peanut gallery as I haven't
contributed to this component and am unlikely to do so any time soon.
Mark
> I would prefer that this be configurable (via HttpClientBuilder and/or
system props) and not the default.
>
> ajs6f
>
>> On Mar 29, 2018, at 6:20 PM, Gary Gregory <ga...@gmail.com> wrote:
>>
>> Hi All:
>>
>> Right now, the HttpClient is of the form:
>>
>> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_162)
>>
>> With the stack I am working with, it would be handy if the header reflected:
>>
>> - The Java vendor
>> - Operating system name and version.
>>
>> For example:
>>
>> User-Agent: Apache-HttpClient/4.5.5 (Oracle Corporation/Java/1.8.0_162)
>> Windows/10.0 (amd64)
>>
>> Any thoughts for or against adding this to the user agent string?
>>
>> Gary
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [httpclient] Better user agent header?
Posted by ajs6f <aj...@apache.org>.
For at least some cases, this wouldn't be good for security. I would prefer that this be configurable (via HttpClientBuilder and/or system props) and not the default.
ajs6f
> On Mar 29, 2018, at 6:20 PM, Gary Gregory <ga...@gmail.com> wrote:
>
> Hi All:
>
> Right now, the HttpClient is of the form:
>
> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_162)
>
> With the stack I am working with, it would be handy if the header reflected:
>
> - The Java vendor
> - Operating system name and version.
>
> For example:
>
> User-Agent: Apache-HttpClient/4.5.5 (Oracle Corporation/Java/1.8.0_162)
> Windows/10.0 (amd64)
>
> Any thoughts for or against adding this to the user agent string?
>
> Gary
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [httpclient] Better user agent header?
Posted by Jochen Wiedmann <jo...@gmail.com>.
On Fri, Mar 30, 2018 at 12:20 AM, Gary Gregory <ga...@gmail.com> wrote:
> User-Agent: Apache-HttpClient/4.5.5 (Oracle Corporation/Java/1.8.0_162)
> Windows/10.0 (amd64)
>
> Any thoughts for or against adding this to the user agent string?
You are aware, that you can configure your own UA-String, are you?
I don't see a necessity for such a change.
Jochen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org