#9 Slight info leakage

open
arcon
6
2006-10-17
2006-02-15
TZ
No

Nice work! That Anonym.OS image is very well designed
-- thanks very much for making it available! I wanted
to offer some brief feedback based on my initial session.

When reviewing outgoing HTTP traffic, I found the one
"HTTP_X_USER_TRACKING" with the value "sucks". While
this is a reasonable statement, heh, it may be unique
enough to make it easier for others to attach it to an
Anonym.OS session. It might be better just to block
that particular header completely, especially since
it's nonessential and carries an "experimental"
designation.

Also, for regular HTTP connections the OS is anonymized
nicely:
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1;
nl; rv:1.8)

But for SSL connections (HTTPS) it's another story:
User-agent: Mozilla/5.0 (X11; U; Anonym.OS i386; en-US;
rv:1.7.10) Gecko/20051216 (No IDN) Firefox/1.0.6

This is probably a limitation of the software proxy,
but maybe it's "fixable"?

Discussion

  • TZ
    TZ
    2006-02-20

    • assigned_to: nobody --> arcon_kaos_to
     
  • Logged In: NO

    Privoxy won't have a chance to anonomise the HTTPS headers since they are encrypted -- this will have to be done by Firefox.

    There is the User Agent Switcher:

    https://addons.mozilla.org/extensions/moreinfo.php?id=59

    But it appears that it needs to be set to someting other thant the Firefox after Firefox is started each time.

    Perhaps ideally the UA string would be picked from a list of very popular ones each time the browser starts...?

     
  • TZ
    TZ
    2006-02-25

    • labels: --> 779286
     
  • TZ
    TZ
    2006-04-21

    Logged In: YES
    user_id=704895

    It may also be possible to enter a "user override" string
    which will send no agent header at all.

     
  • TZ
    TZ
    2006-04-21

    • priority: 5 --> 6
    • status: open --> open-remind
     
  • TZ
    TZ
    2006-05-30

    • labels: 779286 -->
    • assigned_to: arcon_kaos_to --> nobody
     
  • TZ
    TZ
    2006-05-30

    • labels: --> Interface (example)
     
  • Logged In: NO

    The new Privoxy 3.0.5 beta does address additional HTTP headers, not sure if that helps this particular case, but it might help nonetheless.

     
  • TZ
    TZ
    2006-10-17

    • assigned_to: nobody --> arcon_kaos_to
    • status: open-remind --> open