Our great sponsors
-
libcurl
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl offers a myriad of powerful features
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Something really important thats going under the radar is TLS fingerprinting [1].
Multiple servers are using this now, including some requests to subdomains on google.com, googleapis.com, CloudFlare and others. I keep reporting this [2][3], and no one seems to care. If a server blacklists your client, whether its cURL or Go "net/http", you can no longer request to that server using that client. Period. Any HTTP client that wants to be robust, should be thinking about this.
1. https://wikipedia.org/wiki/Device_fingerprint#Sources_of_ide...
2. https://github.com/golang/go/issues/48207
3. https://github.com/curl/curl/issues/8119
Something really important thats going under the radar is TLS fingerprinting [1].
Multiple servers are using this now, including some requests to subdomains on google.com, googleapis.com, CloudFlare and others. I keep reporting this [2][3], and no one seems to care. If a server blacklists your client, whether its cURL or Go "net/http", you can no longer request to that server using that client. Period. Any HTTP client that wants to be robust, should be thinking about this.
1. https://wikipedia.org/wiki/Device_fingerprint#Sources_of_ide...
2. https://github.com/golang/go/issues/48207
3. https://github.com/curl/curl/issues/8119
This kind of flexibility is a non-goal of crypto/tls. We have a TLS stack with one of the best security track records because we implement an opinionated subset of the specification, amongst other things. Moreover, fingerprint evasion is a cat-and-mouse game we can't sustain in the six months Go release cycle.
That doesn't mean I don't care! I was just talking with a friend about this the other day, and I suggested it should be possible to make a small, easily maintained patch that focuses on chasing the fingerprint of one well-known browser. He implemented https://github.com/hellais/utls-light in that spirit, which looks like a viable solution to me.
Anyway, I think matching TLS fingerprints to HTTP User-Agent strings is a valid abuse prevention technique. Rejecting any non-browser fingerprint is bad, and websites should get pushback for that, but I am skeptical that's something they can reliably do without breaking any time Chrome flips a field study. TLS is not _that_ rusted shut.
Related posts
- "Every time a new Go release happened, the package stopped building, and the authors had to add a new file with a new //go:build line, and then the entire ecosystem of packages with that as a dependency had to explicitly update to the new version" -- Go itself
- Synchronization Patterns in Go
- Same algorithm is much faster in node.js than in Golang. Why?
- Gerenciamento de dependĂȘncia em Go (Go Modules)
- Building basic CRUD operations in Go with Fiber