@AMS @cadey well, #Anubis allegedly does account for #Browsers like #LynxBrowser and handles them gracefully, unless they violate thresholds to stop scrapers that fraudulently use a fake #UserAgent, and then it'll soft-ban those.

• Granted on AT&T's ASN you'll likely run into that on #IPv4 connections due to #CGNAT!

@lukeshu So I guess #Anubis has an explicit exception to handle #Lynx and will instead rely on rate-limits and other static means to detect #scrapers and handle with #UserAgent #abuse cases, like #fail2ban-style autobanning of violating IPs...

• This makes sense for a #WAF like Anubis and would've been the only viable option I'm aware of.

I wounder if anyone has tried using Anubis on @torproject / #Tor to protect #OnionService|s since that would be a reasonable application for it as well.

@briankrebs why am I not surprised at this?

• I wounder if the #malware is clever enough to filter by #UserAgent and not try to infect #macOS & #Linux machines with keyboard combinations that don't work there...

Needless to say, it was only a matter of time till we see auto-copying #JavaScript to be weaponized for that...

@S_Paternotte @GrapheneOS meanwhile I see #OpenAI literally using falsified #UserAgent|s and #DDoS'ing clients at work so hard I have to ban entire ASNs and /10 networks just because they ca't be assed to respect the robots.txt and refuse to accept beibg given 403 errors.

-Needless to say banning #GrapheneOS which are by far the most security-focussed and most diligent in terms of #Aftermarket-#Android-#ROM|s whilst not banning #outdated Android versions is like banning a "#SecureBoot|ed" #UbuntuLTS or #OpenBSD installation and going out of one's way to brick #Wine whilst still supporting #WindowsXP in 2025!

@baldur nodds in agreement at my current employer we had to block #OpenAI's entire IP ranges as they literally #DDoS'd a #customer with spoofed #UserAgent(s) [instead of using #GPTbot]…

• It's really fucking annoying!

@tek

#TLDR my brain-drippings generated by your toot, feel free to skip

this is very interesting…

my instinctive response to this (as a long-ago web dev but casual keeper-upper with stuff) was, “don’t you get what you need from #UserAgent strings any more?” so I went (a short way) down a rabbit hole…

despite recent changes by Google to restrict info leakage by Chrome user agents ( yay #privacy^), it seems like they still give plenty of info about devices that can be used to put them into at least buckets of “phone”, “tablet”, and “desktop”^^ (happy to be corrected, of course )

do we really need websites tailored to the pixel rather than a few buckets based on approximate sizes, with layouts to match those sizes using percentage-based definitions for elements / containers? is that not sufficient for decent responsive / adaptive design any more? is the #UX *actually* significantly better using exact-pixel tailoring? do sites see significantly higher bounce rates or lower sales conversion or whatever metric they care about if we approximate with well-thought-out layouts?

[rant]what I mostly see these days (that I loathe) is web devs doing “mobile only” rather than “mobile first” layouts that are ridiculously large & shouty on desktops and provide almost no detail on anything ‘coz they sell to assume that no one will ever look at the site on a non-mobile device… [/rant]

if a site offers me something that fits well enough into “mobile” or “desktop”^^^ (and *actually* allows me to switch between them if I explicitly request it to do so), AND gives me an on-page way to increase / decrease text size without altering other elements, I’m usually very happy (rant about WhyTF every mobile browser doesn’t bake per-site text size controls into their #UI left for another day )
 
 
 
^ well, more like “privacy” since you can still pull all the details from headers or via JS so ¯\_(ツ)_/¯
 
^^ e.g. data from https://www.useragents.me/
 
^^^ bonus points for offering “tablet” as well