Skip to main content
DeviceAtlas DeviceAtlas
  • Login
  • Get started
  • Products
    • Web
      DeviceAtlas for Web

      Build enterprise grade device awareness

      into your products and services

    • Apps
      DeviceAtlas for Apps

      Device intelligence, targeting and reporting

      in the native apps environment

    • Operators
      Device Map

      Fine grained device intelligence

      indexed by TAC/IMEI

    • DeviceAssure
      DeviceAssure

      Verify the authenticity of devices

      accessing your content and services

    • DeviceAtlas Discover
      DeviceAtlas Discover

      Rich insights about your web traffic that

      analytics platforms don’t tell you about

    DEVICE INTELLIGENCE

    Learn more with our
    intro video

    Deliver an amazing customer
    experience across devices.

    TECHNOLOGY OVERVIEW

    Get an overview of our technology.

  • Use Cases
    • Ad-Tech
      AdTech

      Enable granular device targeting of your campaigns.

      Maximize revenue from impressions and reduce discrepancies

    • Optimization
      Web Optimization

      Ensure content is delivered in a form that’s

      optimized for the end user’s device

    • Analytics
      Analytics

      Understand customer engagement at

      device level

    • Internet of Things
      Internet of Things

      Measure IoT activity on your network

    • OTT Streaming
      Online Streaming Services

      Identity OTT traffic from STBs, Smart

      TVs, and Games Consoles

    • eCommerce
      eCommerce

      Identify factors affecting cart abandonment rates, and ensure optimal user experiences for mobile devices.

    • Gaming
      Gaming

      Enhance knowledge of gaming devices for better analytics and reporting, real-time QoS/QoE monitoring, and more relevant targeting opportunities.

    • Reverse Logistics
      Reverse Logistics

      -

    • Device Insurance
      Device Insurance

      -

    CASE STUDIES

    Learn how market
    leaders are using us
    to outperform their
    competition

    Adoppler and our partners have experienced significant improvements since implementing DeviceAtlas.

    Anton Tkachuk

    Product Manager, Adoppler

    View all case studies

  • Pricing
  • Developers
    • Technology Overview

      Get an overview of our technology

    • Getting Started

      Step by step guide to get up and running fast

    • APIs

      Downloads and information on all APIs

    • About the data

      Device data and available properties

    • Docs & Support

      FAQ's documentation and support

    • Knowledge Base

      Explore our expansive library of free

      whitepapers, eBooks and how-to guide

  • Data & Insights
    • Blog

      Stay informed with our articles on device

      research, data and insights

    • Case Studies

      See why market leaders choose DeviceAtlas

    • Device Browser

      Device information and properties

    • Data Explorer

      Explore and analyse DeviceAtlas data

    • Properties

      Check out our available device properties

    • HTTP Headers Parser

      Check DeviceAtlas results for HTTP Headers

  • Login
  • Get started
Log inSign up
Forgot Password?

Sign up below to view device data and get your trial account.

Passwords match:

Cancel
  • Products
    • DeviceAtlas for Web
    • DeviceAtlas for Apps
    • Device Map
    • DeviceAssure
    • DeviceAtlas Discover
    • Technology Overview
  • Use Cases
    • AdTech
    • Web Optimization
    • Analytics
    • Internet of Things
    • Online Streaming Services
    • eCommerce
    • Gaming
    • Reverse Logistics
    • Device Insurance
    • Case Studies
  • Pricing
  • Developers
    • Technology Overview
    • Getting Started
    • APIs
    • About the Data
    • Docs & Support
    • Knowledge Base
  • Data & Insights
    • Blog
    • Case Studies
    • Device Browser
    • Data Explorer
    • Properties
    • HTTP Headers Parser
  • Login
  • Get started
  • Search
Resources →

Getting Started

  • Enterprise
    • DeviceAtlas for Web
    • DeviceAtlas for Apps
  • Cloud
  • DeviceAssure
    • DeviceAssure for Web
    • DeviceAssure for Apps
  • Discover

APIs

  • Enterprise APIs
    • Download API
    • Documentation
    • API examples
    • Performance
  • Cloud Service
    • Download API
    • Documentation
    • Cloud Service End-Points
    • Google Sheets Integration
  • DeviceAssure APIs
    • Download API
    • Documentation
  • Client-side Component
    • iOS H/W Identification
    • Usage
    • Download
  • REST API
  • User-Agent Client Hints
    • Developer considerations
    • Web server configuration
    • OpenRTB and UA-CH
    • Capturing in JavaScript
    • Header precedence logic

Data

  • Data Downloads
    • Carrier Data
    • Device Data (JSON)
    • Device Map (TAC)
  • Data File Configuration
  • Contributing
  • About Our Data
  • Dynamic Data
  • Becoming a Data Partner

Properties

  • Available Properties
  • Client-side Properties

FAQ

  • Support
  • General
  • Licensing

More

  • Side-loaded Browsers
  • Whitepapers
  • Case Studies

Obtaining high-entropy User-Agent Client Hints in the first request

In certain cases it may be possible to obtain high entropy User-Agent Client Hints in the first request from a browser.

One of the biggest issues with User-Agent Client Hints (UA-CH) is that, by their nature, they are sent by browsers only after being requested to do so by a web server. This means that they are necessarily only available on requests subsequent to the first one from a given client. This limitation is by design but severely disrupts many web use cases such as server-side adapation and analytics. This limitation of client hints has been one of the most controversial aspects of the proposal since its inception. Indeed, this is the subject of issue #2 lodged against the proposal (by DeviceAtlas).

Google are aware of this issue and have proposed two mitigations:

  • A Critical-CH response header. This response header asks the browser to retry the request if it agrees to furnish the addiitonal requested UA-CH headers. This is not particularly useful since it doesn't help at all with the additional round trip required.
  • A TLS handshake mechanism. This is a more useful mitigation in that it can make UA-CH headers available on the first request with certain limitations.

The TLS handshake mechanism uses an extension to the TLS protocol called Application-Layer Protocol Settings or ALPS. As the name suggests, ALPS allows for application-layer protocol settings to be agreed at the TLS level prior to any HTTP requests taking place. ALPS is a Google-led proposal and is being managed in the IETF as an Internet Draft.

 

ALPS TSL sequence diagram

Source: Google

BoringSSL and NGINX

At present there is only one TLS library that supports ALPS: BoringSSL, a Google fork of OpenSSL designed to be easier to maintain. BoringSSL is currently the SSL library in use in Chrome/Chromium and Android.

It is possible to compile NGINX against BoringSSL rather than OpenSSL. This, along with some additional configuration directives in a forked verison of NGINX, enables full control of high-entropy User-Agent Client Hints at a TLS level. Once configured correctly this permits high-entropy UA-CHs to be available in the first request from a newly-seen browser. 

Implementors should be aware that this TLS ALPS approach does have the limitation that it works only at a global level for a particular domain. As an example, you cannot configure this method to request different UA-CHs for example.com/pathA and example.com/pathB.

Example implementation

Boring-nginx is a version of NGINX built on BoringSSL rather than OpenSSL. Aaron Tagliaboschi has put together a Docker image of BoringNginx with some additional configuration parameters to enable high-entropy UA-CHs to be requested at the TLS level. This is a good starting point for testing implementations of TLS ALPS in conjunction with UA-CH.

DeviceAtlas has tested this approach and can confirm that it works correctly with Chrome.