[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

"User.Actions" Template (Was: Re: Threats to anonymity set at and above the application layer; HTTP headers)

Hi Seth,

--- Seth David Schoen <schoen@xxxxxxx> wrote:
> ...
> A remedy for this would be to try to create a
> standardized Privoxy configuration and set of
browser > headers, and then try to convince as many
Tor users 
> as possible to use that particular configuration.  
> (One way to do this is to try to convince everyone 
> who makes a Tor+Privoxy distribution or product to 
> use the agreed-upon default configuration.)
> -- 
> Seth Schoen

I completly agree.

I am posting my "user.actions" file which I humbly
submit as a starting point.

My actions file is locked down and blocks/spoofs
everything Privoxy allows while attempting to stay in
a large (and 'typical') anonymity set.  I do not use
paramiters that will break sites; my actions file does
not break any sites I use it with.

I do not block cookies with Priovxy as I prefer to
block/allow cookies with FireFox and FireFox
extensions.  IMO it is eaiser for an end-user to make
an informed 'case-by-case' decision in regards to
cookies or to set FireFox (or FF extensions) to
block/allow cookies.  The same idea applies to all
script (eg. Java, Shockwave, etc).

The "user.actions" file is confusing for non-tech
end-users so IMO it is best to limit their access to
it.  Any configurations that can be made with
FireFox/FF extesions (or other browsers), or a
Firewall GUI is IMO better than having non-tech
end-users fumbling with the Privoxy config files.

I think it is wise to note that Privoxy can not filter
HTTPS.  Most non-tech end-users do not know this.  I
do not block HTTPS connections as I think it is
easiser to simply not visit an HTTPS url.  There are
very legimite uses for HTTPS (eg. online banking) and
an end-user can make a quick, informed decision.

A word of caution for the variable "User_Agent"; I am
using a universal Mozilla/FireFox line with Windows XP
as the OS and "en" (english, non-localized) as the
language.  I choose Windows XP as most non-tech
end-users use Windows XP these days.  The same idea
applies to FireFox for the browser.  The problem with
spoofing User-Agent only use 'en' is the
"HTTP_ACCEPT_LANGUAGE" variable can not be set by
Privoxy 3.0.3.  Someone posted a link to a patch for
Privoxy which allows "Accept_Lang" spoofing.  But, IMO
not many non-tech end-users are going to apply this
patch.  I do not think Privoxy can be bundled with the
patch as it is not official.

I used the IE bug fix option incase end-users need
this fix but have not applied it.

Below I posted the relevent section of my
"user.actions" file and the "ProxyJudge V2.35" results
and with some usefull links.

Note: "+hide-user-agent" line should not be wrapped.

{ allow-all-cookies }

{ +filter{banners-by-size} }

{ +filter{banners-by-link} }

{ +filter{js-annoyances} } 

{ +filter{demoronizer} }

{ +filter{unsolicited-popups} }

{ +filter{webbugs} }

{ +filter{jumping-windows} }

{ +filter{ie-exploits} }

{ +prevent-compression }

{ +fast-redirects }

{ +hide-user-agent{Mozilla/5.0 (Windows; U; Windows NT
5.1; en; rv:1.7.10) Gecko/20050716 Firefox/1.0.5} }

{ +hide-referrer{forge} }

{ +hide-referer{forge} }

{ +hide-from-header{block} }

{ +hide-forwarded-for-headers }

ProxyJude v2.35 Results:
Note: "HTTP_USER_AGENT" line should not be wrapped.

HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT
5.1; en; rv:1.7.10) Gecko/20050716 Firefox/1.0.5


A.) Privoxy Actions Users-Guide:

B.) Privxoy Patch: (Fabian Keil)

C.) User-Agent Information: (Kai Raven)

D.) ProxyJudge v.2.35 @ Stilllistener.com:

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around