If we didn't test it, it doesn't get the cutting edge treatment, it gets the old safe one. The test isn't looking for mozilla in the string, it is looking at the whole string and finding the unique bit that only that browser sends. Spoofers have no right to complain and none of them ever have to my knowledge.

Except that's still somewhat backwards. There are lots of browsers out there that aren't Firefox, but will render pages identically because they're using Gecko. You don't need to test against all of them to know they work. Similarly, there are lots of browsers out there embedding WebKit/KHTML which will render identically to Safari, but you don't need to test against all of them to know they work.

Yahoo has an interesting methodology for this which I think is about the least offensive use of browser sniffing I've seen; they study each release of a major browser (IE, Firefox, Safari, Opera) and assign it a "grade" depending on its support for advanced stuff. Then their scripts, instead of being marked "this is only for Internet Explorer 6" or "this is only for Safari 2", can be marked "this is only for Grade A browsers" or "this is only for Grade C".

The important thing, though, is that they have a class called "Grade X". Browsers which have been thoroughly tested and proven to support advanced features are Grade A, and browsers which have been tested and proven not to support advanced features are Grade C. Everything else is Grade X, and Grade X browsers are assumed to have the same or more advanced capabilities than Grade A -- generally, they assume that an unknown UA string represents a new version or a major browser, or a new browser embedding a major rendering engine. Thus, instead of a whitelist of "known good" browsers, they have a blacklist of "known bad" and assume that anything else can handle advanced features. This is much more likely to be correct than the techniques used at, say, Google where I've got some pretty advanced browsers that they won't serve GMail to.

And of course, their JS libraries use object detection all over the place, so that system seems to come into play only rarely.

Except that strategy has the known drawback of producing lower revenues and higher trouble ticket counts. So I guess it depends on your goals.

Depends on how careful you are producing your "known bad" list, and heavily depends on the user. If, for example, Amazon ever "degraded" the page they send me because I'm using a new-ish Gecko or WebKit browser that isn't in the approved UA list, you can bet that'd be a lost sale for Amazon.

The existence of good, open-source rendering engines has basically turned this whole thing on its head; years ago it was better to assume that a new browser was deficient. But today, on average, it's better to assume that a new browser is embedding someone else's engine and is thus as capable as the well-known browsers.

(all of this, of course, ignores larger issues like progressive enhancement and graceful degradation, which are just as important and make UA sniffing even more irrelevant)