[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
"User.Actions" Template (Was: Re: Threats to anonymity set at and above the application layer; HTTP headers)
- To: or-talk@xxxxxxxxxxxxx
- Subject: "User.Actions" Template (Was: Re: Threats to anonymity set at and above the application layer; HTTP headers)
- From: Anothony Georgeo <anogeorgeo@xxxxxxxxx>
- Date: Sun, 21 May 2006 08:16:32 -0700 (PDT)
- Delivered-to: archiver@seul.org
- Delivered-to: or-talk-outgoing@seul.org
- Delivered-to: or-talk@seul.org
- Delivery-date: Sun, 21 May 2006 11:16:51 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Un4m8I+1p69Tx4vIqhtqzj1SSWs034tMnQ46TkzPDyjmVItUMPAaciXxS1NXbgHVULL2JYlfLStcM/8R/JiwYh6IpHx412NFNL66HUejEqyaes5kuaYIzoM7mw7sZG4oYa2LwmYfCsNqVsHCqCMvvjAiZr+kjkSagF2NfwhBPtE= ;
- In-reply-to: <20060519185154.GU32816@falcon.eff.org>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
Hi Seth,
--- Seth David Schoen <schoen@xxxxxxx> wrote:
[snip]
> ...
> A remedy for this would be to try to create a
> standardized Privoxy configuration and set of
browser > headers, and then try to convince as many
Tor users
> as possible to use that particular configuration.
> (One way to do this is to try to convince everyone
> who makes a Tor+Privoxy distribution or product to
> use the agreed-upon default configuration.)
>...
> --
> Seth Schoen
I completly agree.
I am posting my "user.actions" file which I humbly
submit as a starting point.
My actions file is locked down and blocks/spoofs
everything Privoxy allows while attempting to stay in
a large (and 'typical') anonymity set. I do not use
paramiters that will break sites; my actions file does
not break any sites I use it with.
I do not block cookies with Priovxy as I prefer to
block/allow cookies with FireFox and FireFox
extensions. IMO it is eaiser for an end-user to make
an informed 'case-by-case' decision in regards to
cookies or to set FireFox (or FF extensions) to
block/allow cookies. The same idea applies to all
script (eg. Java, Shockwave, etc).
The "user.actions" file is confusing for non-tech
end-users so IMO it is best to limit their access to
it. Any configurations that can be made with
FireFox/FF extesions (or other browsers), or a
Firewall GUI is IMO better than having non-tech
end-users fumbling with the Privoxy config files.
I think it is wise to note that Privoxy can not filter
HTTPS. Most non-tech end-users do not know this. I
do not block HTTPS connections as I think it is
easiser to simply not visit an HTTPS url. There are
very legimite uses for HTTPS (eg. online banking) and
an end-user can make a quick, informed decision.
A word of caution for the variable "User_Agent"; I am
using a universal Mozilla/FireFox line with Windows XP
as the OS and "en" (english, non-localized) as the
language. I choose Windows XP as most non-tech
end-users use Windows XP these days. The same idea
applies to FireFox for the browser. The problem with
spoofing User-Agent only use 'en' is the
"HTTP_ACCEPT_LANGUAGE" variable can not be set by
Privoxy 3.0.3. Someone posted a link to a patch for
Privoxy which allows "Accept_Lang" spoofing. But, IMO
not many non-tech end-users are going to apply this
patch. I do not think Privoxy can be bundled with the
patch as it is not official.
I used the IE bug fix option incase end-users need
this fix but have not applied it.
Below I posted the relevent section of my
"user.actions" file and the "ProxyJudge V2.35" results
and with some usefull links.
---
1.
"users.actions":
Note: "+hide-user-agent" line should not be wrapped.
{ allow-all-cookies }
/
{ +filter{banners-by-size} }
/
{ +filter{banners-by-link} }
/
{ +filter{js-annoyances} }
/
{ +filter{demoronizer} }
/
{ +filter{unsolicited-popups} }
/
{ +filter{webbugs} }
/
{ +filter{jumping-windows} }
/
{ +filter{ie-exploits} }
/
{ +prevent-compression }
/
{ +fast-redirects }
/
{ +hide-user-agent{Mozilla/5.0 (Windows; U; Windows NT
5.1; en; rv:1.7.10) Gecko/20050716 Firefox/1.0.5} }
/
{ +hide-referrer{forge} }
/
{ +hide-referer{forge} }
/
{ +hide-from-header{block} }
/
{ +hide-forwarded-for-headers }
/
---
2.
ProxyJude v2.35 Results:
Note: "HTTP_USER_AGENT" line should not be wrapped.
<http://www.stilllistener.com/checkpoint1/test2/>
HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
HTTP_CONNECTION=close
HTTP_COOKIE=$1
HTTP_HOST=www.stilllistener.com
HTTP_REFERER=http://www.stilllistener.com/
HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT
5.1; en; rv:1.7.10) Gecko/20050716 Firefox/1.0.5
---
3.
A.) Privoxy Actions Users-Guide:
<http://www.privoxy.org/user-manual/actions-file.html>
B.) Privxoy Patch: (Fabian Keil)
<http://www.fabiankeil.de/sourcecode/privoxy/>
C.) User-Agent Information: (Kai Raven)
<http://en.wikipedia.org/wiki/User_agent>
D.) ProxyJudge v.2.35 @ Stilllistener.com:
<http://www.stilllistener.com/checkpoint1/test2/>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com