#522 Remote URLs that include PRIVOXY-FORCE

open
Fabian Keil
5
2010-03-04
2010-03-04
Alan Stewart
No

Sites can accidentally or intentionally include URLs constructed with /PRIVOXY-FORCE in them and will auto bypass Privoxy. The string should be stripped from incoming URLs. Many blog entries from Privoxy users accidentally paste ad URLs with the string and this site:
http://ha.ckers.org/blog/20060911/detecting-privoxy-users-and-circumventing-it/
demonstrates an intentional use.

Perhaps it could be done with a filter, but it seems like it should be an internal default.

Alan
SF login gbsi3
Firefox 3.6 Privoxy 3.0.16 Win XP SP3

Discussion

  • Fabian Keil
    Fabian Keil
    2010-03-04

    • labels: 340250 --> funct: blocking
    • milestone: 1069604 -->
    • assigned_to: nobody --> fabiankeil
     
  • Fabian Keil
    Fabian Keil
    2010-03-04

    Thanks for the report. Please have a look at:
    http://www.privoxy.org/user-manual/config.html#ENFORCE-BLOCKS

    Anyway ...

    If you are using Privoxy default.action, websites you visit can also embed a bunch of URLs the default configuration blocks to detect if you are using Privoxy, just like they can do for any other ad-blocker that actually blocks anything. If you are concerned about this, you shouldn't be using an ad-blocker.

    Even if you configured Privoxy to not block anything, its reaction to various kinds of input will likely be different enough from other HTTP clients to detect it. If you are concerned about this, too, you shouldn't be using Privoxy or HTTP clients in general, as they pretty much all behave slightly different and can thus be detected by site operators that care enough to take the time to fingerprint them. Of course TCP/IP stacks have fingerprints too, so staying away from HTTP clients might not be good enough.

    It's on the TODO list to augment or replace the fixed force prefix with a random string, but it currently doesn't have a high priority and it certainly will not "fix" the "problem" that websites can detect that the user is using Privoxy.

    Stripping the forced prefix from server responses doesn't solve anything as it could be detected just the same.

     
  • Alan Stewart
    Alan Stewart
    2010-03-04

    Actually, I'm not concerned if Privoxy can be detected - that was just what was demo'd. And ads aren't really my concern, either. It's malicious links with the PRIVOXY-FORCE string, probably in a blog, that I stumble into.

    Using enforce-blocks eliminates the ability to go to "good " links when needed.

    What I did do, is patch the strings to some other fixed value than PRIVOXY-FORCE. How about a config entry for the user to select a fixed value, rather than random?

    Alan

     
  • Fabian Keil
    Fabian Keil
    2010-03-10

    The string used can show up in referrer headers and can also be figured out remotely with various tricks so having a constant one that is unique per user sounds like a bad idea to me.