Re: [privoxy-users] HTTP Request Header Stripping

[Billy C. <bil...@gm...>]

On Sun, Jan 9, 2011 at 06:05, Fabian Keil <fk...@fa...> wrote:
> Billy Crook <bil...@gm...> wrote:
>> spoil your anonymity is https://panopticlick.eff.org.
>
> Note that Privoxy currently can't filter encrypted traffic.

gah...  I knew this.  Should have thought before pasting that link.  I
meant it as more of an example of fingerprinting though.

> Also note that the fact that you are suppressing headers that
> everyone else does send, makes you more identifiable than using

Aware of that as well.  It wouldn't be very hard to write a script
that goes and finds today's most popular headers according to alexa or
something, and overwrites with those instead of completely surpressing
them.

I believe today however, people completely surpressing them are common
enough. (over 1%) that I'm comfortably anonymous doing the same.  I
also like knowing that it sends a clearer message that the server is
not allowed to know that information.

> As you can see from the documentation, the keyword to
> remove the header is "block". In case of +hide-referrer{}
> it's usually a better idea to use conditional-block, though.

That also works for accept-language.  May we have a block keyword for
accept, accept-charset, accept-encoding, and user-agent?

>> I tried using client-header-filter, but it only works for one header,
>> not multiple/all.
>
> It's supposed to work for multiple headers as well.
> Can you post the configuration you used that didn't work?

ahh, I see what I was doing wrong now.  I was specifying the header I
wanted to eliminate where i should have been specifying the name of a
filter that listed the headers. +client-header-filter{accept-language}
 That never should have worked.

I now have in user.filter, CLIENT-HEADER-FILTER: deanonymizing-headers
Removes client headers which are unnecessary and compromise anonymity
s@^Accept.*@@i
s@^User-Agent.*@@i
s@^Cache.*@@i
s@^Pragma.*@@i
s@^Referer.*@@i
s@^X-.*@@i

and in user.actions, { +client-header-filter{deanonymizing-headers} }
/

Works like a charm!  You rock!

> For example Squid and Polipo can do it, too, but last time I
> checked they can't MITM SSL connections either. If you find a
> proxy that can and is free software, please let us know, so we
> can mention it in the documentation.

I do just about all of my browsing through Privoxy, so Ideally, I'd
like to generate TLS keys in each of my Privoxy instances, install
their certificates as root authorities in my browsers, and have
Privoxy replace the real cert with a wildcard cert  Is this something
a donation could help with?  HTTPS filtering is needed badly in free
software proxies.  If I was going to take a stab at writing it, I'd
add it in to Privoxy.