[cabfpub] More changes to proposed policy update
Bjørn Vermo
bv at norbionics.com
Sat May 26 19:59:07 UTC 2012
Saturday, May 26, 2012, 6:27:25 PM, Ryan Hurst wrote:
> Wen-Cheng Wang,
> Back when I was at CyberSafe and Valicert (mid to late 90s) I saw stuff like
> that too, I do not doubt there are a handful of people out there running
> stuff from this era still but thank goodness it’s just a handful.
> One of the coolest parts of the Internet in 2012 is we now have real and
> accurate statistics
> <http://gs.statcounter.com/#browser-ww-monthly-201104-201204-bar> on what
> is out there (we really did not back then), for example in the case of
> browsers on the Internet (which is what “publicly trusted” certificates
> are about) we know that less than .7% of the internet uses “Other” types
> (not Firefox, Safari, Opera, Chrome IE).
...
I think you are overly optimistic if you believe we have anything near
"real and accurate" statistics of web client usage.
There are many factors that cause such statistics to be off by up to an
order of magnitude in some cases, especially for the smaller or more specialised
clients. This can also teach us a thing or two about the consequences of
using a field for something else than it was intended for.
The main reason such statistics are crap is a phenomenon called
spoofing. The user agent string in html worked fine up to when it said
which version of Mosaic it came from and the NCSA servers logged that. Then we got a commercial browser
with Netscape. They also made servers and tools, and had a business model based on
adding value through extensions to the standard. Therefore, they parsed the
user agent string to see if they were dealing with one of their own
"enhanced" clients.
Enter Internet Explorer. In order to work with those browser-sniffing
servers, it identified itself as Netscape (compatible). From there, it
only got worse.
While new methods have been added for client identification,they are all
getting spoofed because some website operators in their infinite wisdom
decide that they will not serve their precious content except to a couple
of clients which they happen to know how work.
The result of this is that today we identify the client as whatever the
website wants to hear, using lots of trickery to guess what that might
be. Embedded browsers generally pretend to be whatever was most popular
at their time of launch.
In addition, there are gateways that will strip or modify this
information, e.g. mobile or TV operators.
Given this, the 0.7% "other" only constitutes the minority that did not
implement effective spoofing, and is certainly a lower bound.
This should not change the conclusion, though, since the spoofing that
bloats statistics for IE and Mozilla will in most cases come from
clients with the same functionality.
--
Best regards,
Bjørn mailto:bv at norbionics.com
More information about the Public
mailing list