[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

"User.Actions" Template (Was: Re: Threats to anonymity set at and above the application layer; HTTP headers)



Hi Seth,


--- Seth David Schoen <schoen@xxxxxxx> wrote:
[snip]
> ...
> A remedy for this would be to try to create a
> standardized Privoxy configuration and set of
browser > headers, and then try to convince as many
Tor users 
> as possible to use that particular configuration.  
> (One way to do this is to try to convince everyone 
> who makes a Tor+Privoxy distribution or product to 
> use the agreed-upon default configuration.)
>...
> -- 
> Seth Schoen

I completly agree.

I am posting my "user.actions" file which I humbly
submit as a starting point.

My actions file is locked down and blocks/spoofs
everything Privoxy allows while attempting to stay in
a large (and 'typical') anonymity set.  I do not use
paramiters that will break sites; my actions file does
not break any sites I use it with.

I do not block cookies with Priovxy as I prefer to
block/allow cookies with FireFox and FireFox
extensions.  IMO it is eaiser for an end-user to make
an informed 'case-by-case' decision in regards to
cookies or to set FireFox (or FF extensions) to
block/allow cookies.  The same idea applies to all
script (eg. Java, Shockwave, etc).

The "user.actions" file is confusing for non-tech
end-users so IMO it is best to limit their access to
it.  Any configurations that can be made with
FireFox/FF extesions (or other browsers), or a
Firewall GUI is IMO better than having non-tech
end-users fumbling with the Privoxy config files.

I think it is wise to note that Privoxy can not filter
HTTPS.  Most non-tech end-users do not know this.  I
do not block HTTPS connections as I think it is
easiser to simply not visit an HTTPS url.  There are
very legimite uses for HTTPS (eg. online banking) and
an end-user can make a quick, informed decision.

A word of caution for the variable "User_Agent"; I am
using a universal Mozilla/FireFox line with Windows XP
as the OS and "en" (english, non-localized) as the
language.  I choose Windows XP as most non-tech
end-users use Windows XP these days.  The same idea
applies to FireFox for the browser.  The problem with
spoofing User-Agent only use 'en' is the
"HTTP_ACCEPT_LANGUAGE" variable can not be set by
Privoxy 3.0.3.  Someone posted a link to a patch for
Privoxy which allows "Accept_Lang" spoofing.  But, IMO
not many non-tech end-users are going to apply this
patch.  I do not think Privoxy can be bundled with the
patch as it is not official.

I used the IE bug fix option incase end-users need
this fix but have not applied it.

Below I posted the relevent section of my
"user.actions" file and the "ProxyJudge V2.35" results
and with some usefull links.


---
1.
"users.actions":
Note: "+hide-user-agent" line should not be wrapped.


{ allow-all-cookies }
/

{ +filter{banners-by-size} }
/

{ +filter{banners-by-link} }
/

{ +filter{js-annoyances} } 
/

{ +filter{demoronizer} }
/

{ +filter{unsolicited-popups} }
/

{ +filter{webbugs} }
/

{ +filter{jumping-windows} }
/

{ +filter{ie-exploits} }
/

{ +prevent-compression }
/

{ +fast-redirects }
/

{ +hide-user-agent{Mozilla/5.0 (Windows; U; Windows NT
5.1; en; rv:1.7.10) Gecko/20050716 Firefox/1.0.5} }
/

{ +hide-referrer{forge} }
/

{ +hide-referer{forge} }
/

{ +hide-from-header{block} }
/

{ +hide-forwarded-for-headers }
/


---
2.
ProxyJude v2.35 Results:
Note: "HTTP_USER_AGENT" line should not be wrapped.
<http://www.stilllistener.com/checkpoint1/test2/> 


HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
HTTP_CONNECTION=close
HTTP_COOKIE=$1
HTTP_HOST=www.stilllistener.com
HTTP_REFERER=http://www.stilllistener.com/
HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT
5.1; en; rv:1.7.10) Gecko/20050716 Firefox/1.0.5

---
3.

A.) Privoxy Actions Users-Guide:
<http://www.privoxy.org/user-manual/actions-file.html>


B.) Privxoy Patch: (Fabian Keil)
<http://www.fabiankeil.de/sourcecode/privoxy/>


C.) User-Agent Information: (Kai Raven)
<http://en.wikipedia.org/wiki/User_agent>

D.) ProxyJudge v.2.35 @ Stilllistener.com:
<http://www.stilllistener.com/checkpoint1/test2/>








__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com