Re: COVID-19 data analytics, cryptography, and some things you should know

Browser strings can be mimicked and faked to one's heart's content. It's up to the server to make a thorough check, https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent

fwiw, i can not visit the url you cited. Firefox complains about insecure page (SSL_ERROR_BAD_CERT_DOMAIN). I tried to view the cerfiticate: it is issued to my ISP!! When I "take the risk" my ISP blocks the page as "not safe". In order to whitelist it i need to login and update preferences which does not work. Come to think of it, it could be an incompetent attempt by some incompetent banana republic operator to incompetently execute a man-in-the-middle. Which suggests to me that you have huge man-in-the-middle or isp-in-the-middle issues to deal with as well - what if they fake the data a patient sends?

Comment on Re: COVID-19 data analytics, cryptography, and some things you should know Download Code

Replies are listed 'Best First'.
Re^2: COVID-19 data analytics, cryptography, and some things you should know by tachyon-II (Chaplain) on Apr 05, 2020 at 11:19 UTC
Hello bliako, Yes I'm aware of how to fake a browser string. Been doing it for years. If you check your server logs you may well see some amusing messages I left in the string... The server itself runs a let's encrypt certificate but out in front of it is some Cloudflare proxy infrastructure. Last time I looked they were not banana republic operators given they proxy for 11.6% of the top 10 million websites on the Internet. They are the man in the middle. For me, they issue a perfectly valid certificate. What country are you in? I'll VPN in and see if I can reproduce the issue. Given who is doing the proxying it's possible the proxy issue MITM lies with you, not us. Just a thought...	[reply]
Re^3: COVID-19 data analytics, cryptography, and some things you should know by bliako (Abbot) on Apr 05, 2020 at 11:34 UTC
i did not say the problem is with you. The problem is with my provider and I found it really weird that they presented me with a certificated issued to them. (perhaps that's how it works!) Sure you are aware that a browser string can be faked/changed. But how are you going to sanitise it so that you use it for checking uniqueness together with the IP, which in itself is not unique, i.e. a given hospital may have the same IP for all personnel trying to report something to you.	[reply]