PHP Browser detection & browsers encryption support.
alverman
Status: New User - Welcome
Joined: 07 Feb 2005
Posts: 3
Reply Quote
Hi all and thank you guys for this great piece of software [link].
I'd like to implement some code to prompt a warning when a browser does not support 128-bit encryption. As I understand (but please correct me if I'm wrong) this can be done checking the browsers version. How would I go about it? Is there a reliable list of browsers that do not support that encryption level? I realize this is beyond the scope or your excellent script but any hint would be much appreciated. Thank you in advance,
Ivan
Back to top
jeffd
Status: Assistant
Joined: 04 Oct 2003
Posts: 594
Reply Quote
Hi, thanks for the question. There is a way to do this 128 bit encryption detection, banks often use it, but I don't know what it is. Given that at least for a while US firms were not allowed to export software with 128bit encryyption, but had to use 40 bit for export, it's very hard to say how to test this easily. There is no obviously available method, if anyone knows of one feel free to post it.
Back to top
alverman
Status: New User - Welcome
Joined: 07 Feb 2005
Posts: 3
Reply Quote
Hi jeffd, thanx for your answer, yes I saw banks sites where this check is performed, and I doubt any of them will tell me what technology they use ;-) . I run into this site: www.odscompanies.com/privacy/browserencryption.shtml#4 they do a nice job with "Browser Check".

Do you think that the "safe" parameter, being set to detect older browsers, could take care of the problem? Thank you.
Back to top
jeffd
Status: Assistant
Joined: 04 Oct 2003
Posts: 594
Reply Quote
Unfortunately, encryption and the browser are not really connected, for example IE 5x was released with 40 and 128 bit encryption. IE 6 is probably always released with 128 bit, all other modern browsers are, like safari, opera, and gecko/mozilla based browsers.

I'm not sure about the others.

I suspect the check is not very complex.

The netscape series used the 'U' or 'I' in the browser string, which makes it easy, if it's I, it's the international, or 40 bit version, if it's 'U', it's the US, 128 bit version.

I did find a javascript solution, which is easy to translate into php:
:: Code ::
Code recommended to identify browser support for 128 bit encryption:

---------------------------------------------------------------
theUserAgent = navigator.userAgent
isMSIEBrowser = theUserAgent.indexOf("MSIE") > 0

if( isMSIEBrowser ){
// insert code to set supports128BitEncryption here based upon IE version 5.5 (or greater) detection
}
else {
supports128BigEncryption = (theUserAgent.indexOf("U;") > 0 || theUserAgent.indexOf("U)") > 0 );
}
source

The trick here is that non IE browsers all use the 'U' or 'I' notation in the useragent string. All IE browsers >= 5.5 have 128 bit encryption. Many older IE's could have had this encryption put in, but honestly speaking, anyone who was up enough on this stuff to upgrade IE 4 or 5.0 encryption to 128 bit manually almost certainly has upgraded their browsers by this time to a modern version.
Back to top
alverman
Status: New User - Welcome
Joined: 07 Feb 2005
Posts: 3
Reply Quote
Thank you very much Jeffd for code and explanation, now the "U" and "I" issue is much clearer to me, I will definitely follow your suggestion.
Back to top
jeffd
Status: Assistant
Joined: 04 Oct 2003
Posts: 594
Reply Quote
I wouldn't use the above code sample, that was more just a direction t take.

If the information is correct, I think I'd do something like this:

detect ie >= 5.5
detect gecko,safari,khtml, opera and just assume that they are all 128 bit encryption compliant, opera doesn't use the 'u' thing in its useragent for example, at least not in its latest version, I'd have to check Konqueror to see what it uses.

The real way to check something like this is to actual probe the browser, that's how we do xhtml support checks for example, we just ask the browser if it can handle xhtml or not using http_accept_header or whatever it is.

If you're using real encryption, for a real reason, I wouldn't take a chance on just navigator useragent testing, but if it's not for real security purposes it doesn't matter that much.
Back to top
Display posts from previous:   

All times are GMT - 8 Hours