From: Bernhard Bitsch <bbitsch@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] proxy.cgi: drop options for faking Referer and User-Agent HTTP headers
Date: Tue, 15 Jun 2021 22:44:42 +0200 [thread overview]
Message-ID: <75e45ddd-2e0d-ae6d-ec40-66339f89959e@ipfire.org> (raw)
In-Reply-To: <426cc5cd-c490-2a5a-031f-45c10af50cca@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 15815 bytes --]
Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Am 15.06.2021 um 22:29 schrieb Peter Müller:
> While maintaining privacy when accessing web sites probably has never
> been more important than it is today, faking Referer and User-Agent
> headers is both obsolete and counterproductive:
>
> (a) Most web sites require HTTPS, thwarting manipulation attempts to
> HTTP headers in transit. Given todays' internet landscape, faking
> these headers is unlikely to work for the vast majority of web
> sites.
>
> (b) It is trivial to detect faked HTTP User-Agent headers by obtaining
> corresponding browser information via JavaScript. Any difference
> most likely indicates (trivial) header manipulation attempts, hence
> rendering this feature useless if browsers do not behave in the same
> manner, which we cannot control on IPFire.
>
> (c) Especially static Referer headers make users stick out like a sore
> thumb, as nobody else in the world is likely to have the same
> Referer set _all the time_.
>
> Modern browsers attempt to strip sensitive information from Referer
> headers, or ditch them completely, particularly to 3rd party sites.
>
> Given the state of the web ecosystem as we know it today, enforcing
> privacy in a centralised manner does not even come close to being
> sufficient. Without gaining control over users' browsers, their
> settings, and their infrastructure (such as setting up terminal
> environments for accessing the web, preventing hardware
> fingerprinting), a centralised attempt will at best fail, if not making
> things worse, as highlighted in (c).
>
> Therefore, removing these features from the Squid GUI is the least worse
> option we have. We should not give our users a false sense of privacy.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> html/cgi-bin/proxy.cgi | 44 ++----------------------------------------
> langs/de/cgi-bin/de.pl | 3 ---
> langs/en/cgi-bin/en.pl | 3 ---
> langs/es/cgi-bin/es.pl | 3 ---
> langs/fr/cgi-bin/fr.pl | 3 ---
> langs/it/cgi-bin/it.pl | 3 ---
> langs/nl/cgi-bin/nl.pl | 3 ---
> langs/pl/cgi-bin/pl.pl | 3 ---
> langs/ru/cgi-bin/ru.pl | 3 ---
> langs/tr/cgi-bin/tr.pl | 3 ---
> 10 files changed, 2 insertions(+), 69 deletions(-)
>
> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
> index b6d71db84..b3c2d0713 100644
> --- a/html/cgi-bin/proxy.cgi
> +++ b/html/cgi-bin/proxy.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> #
> +# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -226,8 +226,6 @@ $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited';
> $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited';
> $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited';
> $proxysettings{'ENABLE_MIME_FILTER'} = 'off';
> -$proxysettings{'FAKE_USERAGENT'} = '';
> -$proxysettings{'FAKE_REFERER'} = '';
> $proxysettings{'AUTH_METHOD'} = 'none';
> $proxysettings{'AUTH_REALM'} = '';
> $proxysettings{'AUTH_MAX_USERIP'} = '';
> @@ -1629,21 +1627,6 @@ END
> print <<END
> </table>
>
> -<hr size='1'>
> -
> -<table width='100%'>
> -<tr>
> - <td><b>$Lang::tr{'advproxy privacy'}</b></td>
> -</tr>
> -<tr>
> - <td class='base'>$Lang::tr{'advproxy fake useragent'}:</td>
> - <td class='base'>$Lang::tr{'advproxy fake referer'}:</td>
> -</tr>
> -<tr>
> - <td><input type='text' name='FAKE_USERAGENT' value='$proxysettings{'FAKE_USERAGENT'}' size='40%' /></td>
> - <td><input type='text' name='FAKE_REFERER' value='$proxysettings{'FAKE_REFERER'}' size='40%' /></td>
> -</tr>
> -</table>
> <hr size='1'>
> END
> ;
> @@ -3846,8 +3829,7 @@ END
>
> print FILE "http_access deny all\n\n";
>
> - if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off') ||
> - (!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
> + if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off'))
> {
> print FILE "#Strip HTTP Header\n";
>
> @@ -3861,31 +3843,9 @@ END
> print FILE "request_header_access Via deny all\n";
> print FILE "reply_header_access Via deny all\n";
> }
> - if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
> - {
> - print FILE "request_header_access User-Agent deny all\n";
> - print FILE "reply_header_access User-Agent deny all\n";
> - }
> - if (!($proxysettings{'FAKE_REFERER'} eq ''))
> - {
> - print FILE "request_header_access Referer deny all\n";
> - print FILE "reply_header_access Referer deny all\n";
> - }
>
> print FILE "\n";
>
> - if ((!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
> - {
> - if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
> - {
> - print FILE "header_replace User-Agent $proxysettings{'FAKE_USERAGENT'}\n";
> - }
> - if (!($proxysettings{'FAKE_REFERER'} eq ''))
> - {
> - print FILE "header_replace Referer $proxysettings{'FAKE_REFERER'}\n";
> - }
> - print FILE "\n";
> - }
> }
>
> if ($proxysettings{'SUPPRESS_VERSION'} eq 'on') { print FILE "httpd_suppress_version_string on\n\n" }
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index eee51575b..0d2228ede 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -326,8 +326,6 @@
> 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Ungültige IP oder Subnetz für ausgenommenes IP-Subnetz',
> 'advproxy error design' => 'Design der Fehlermeldungen',
> 'advproxy error language' => 'Sprache der Fehlermeldungen',
> -'advproxy fake referer' => 'Gefälschter Referer für externe Webseiten',
> -'advproxy fake useragent' => 'Gefälschter User-Agent für externe Webseiten',
> 'advproxy friday' => 'Fr',
> 'advproxy from' => 'Von',
> 'advproxy group access control' => 'Gruppenbasierte Zugriffskontrolle',
> @@ -357,7 +355,6 @@
> 'advproxy off' => 'Proxy aus',
> 'advproxy offline mode' => 'Aktiviere Offline-Modus',
> 'advproxy on' => 'Proxy ein',
> -'advproxy privacy' => 'Datenschutz',
> 'advproxy proxy port' => 'Proxyport',
> 'advproxy proxy port transparent' => 'Transparenter Port',
> 'advproxy ram cache size' => 'Cachegröße im Arbeitsspeicher (MB)',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index a48deeeca..2ba6961f3 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -323,8 +323,6 @@
> 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Invalid IP or subnet for excluded IP subnet',
> 'advproxy error design' => 'Error messages design',
> 'advproxy error language' => 'Error messages language',
> -'advproxy fake referer' => 'Fake referer submitted to external sites',
> -'advproxy fake useragent' => 'Fake useragent submitted to external sites',
> 'advproxy friday' => 'Fri',
> 'advproxy from' => 'From',
> 'advproxy group access control' => 'Group based access control',
> @@ -354,7 +352,6 @@
> 'advproxy off' => 'Proxy off',
> 'advproxy offline mode' => 'Enable offline mode',
> 'advproxy on' => 'Proxy on',
> -'advproxy privacy' => 'Privacy',
> 'advproxy proxy port' => 'Proxy port',
> 'advproxy proxy port transparent' => 'Transparent port',
> 'advproxy ram cache size' => 'Memory cache size (MB)',
> diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
> index e76c987bc..1080afdea 100644
> --- a/langs/es/cgi-bin/es.pl
> +++ b/langs/es/cgi-bin/es.pl
> @@ -297,8 +297,6 @@
> 'advproxy errmsg time restriction' => 'Restricción de tiempo no válida',
> 'advproxy error design' => 'Diseño de mensajes de error',
> 'advproxy error language' => 'Idioma de Mensajes de error',
> -'advproxy fake referer' => 'Referer falso enviado a sitios externos',
> -'advproxy fake useragent' => 'Useragent falso enviado a sitios externos',
> 'advproxy friday' => 'Vie',
> 'advproxy from' => 'De',
> 'advproxy hdd cache size' => 'Tamaño del caché en disco duro (MB)',
> @@ -326,7 +324,6 @@
> 'advproxy off' => 'Proxy Apagado',
> 'advproxy offline mode' => 'Activar modo fuera de línea',
> 'advproxy on' => 'Proxy Encendido',
> -'advproxy privacy' => 'Privacidad',
> 'advproxy proxy port' => 'Puerto del proxy',
> 'advproxy ram cache size' => 'Tamaño de memoria caché',
> 'advproxy redirector children' => 'Número de procesos filtrados',
> diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
> index 840292f9c..1b6d30111 100644
> --- a/langs/fr/cgi-bin/fr.pl
> +++ b/langs/fr/cgi-bin/fr.pl
> @@ -330,8 +330,6 @@
> 'advproxy errmsg wpad invalid ip or mask' => 'WPAD : IP ou sous-réseau invalide pour le sous-réseau IP exclu',
> 'advproxy error design' => 'Construction messages erronés ',
> 'advproxy error language' => 'Langage des messages erronés ',
> -'advproxy fake referer' => 'Fausses références soumises aux sites externes ',
> -'advproxy fake useragent' => 'Faux useragent soumis aux sites externes ',
> 'advproxy friday' => 'Ven',
> 'advproxy from' => 'De',
> 'advproxy group access control' => 'Contrôle d\'accès basé sur le groupe',
> @@ -361,7 +359,6 @@
> 'advproxy off' => 'Proxy inactif',
> 'advproxy offline mode' => 'Autoriser le mode hors connexion ',
> 'advproxy on' => 'Proxy actif',
> -'advproxy privacy' => 'Privé',
> 'advproxy proxy port' => 'Port proxy ',
> 'advproxy proxy port transparent' => 'Port transparent ',
> 'advproxy ram cache size' => 'Taille cache mémoire (Mo) ',
> diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
> index 57585dd27..e9bd157a3 100644
> --- a/langs/it/cgi-bin/it.pl
> +++ b/langs/it/cgi-bin/it.pl
> @@ -257,8 +257,6 @@
> 'advproxy errmsg time restriction' => 'Invalid time restriction',
> 'advproxy error design' => 'Design dei messaggi di errore',
> 'advproxy error language' => 'Lingua dei messaggi di errore',
> -'advproxy fake referer' => 'Fake referer submitted to external sites',
> -'advproxy fake useragent' => 'Fake useragent submitted to external sites',
> 'advproxy friday' => 'Ven',
> 'advproxy from' => 'Da',
> 'advproxy hdd cache size' => 'Harddisk cache size (MB)',
> @@ -286,7 +284,6 @@
> 'advproxy off' => 'Proxy off',
> 'advproxy offline mode' => 'Attiva modalità offline',
> 'advproxy on' => 'Proxy Acceso',
> -'advproxy privacy' => 'Privacy',
> 'advproxy proxy port' => 'Porta Proxy',
> 'advproxy proxy port transparent' => 'Porta Transparente',
> 'advproxy ram cache size' => 'Dimensione della Memoria di cache (MB)',
> diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
> index fb5a932f9..d607e4f89 100644
> --- a/langs/nl/cgi-bin/nl.pl
> +++ b/langs/nl/cgi-bin/nl.pl
> @@ -256,8 +256,6 @@
> 'advproxy errmsg time restriction' => 'Ongeldige tijdsbeperking',
> 'advproxy error design' => 'Opmaak foutmeldingen',
> 'advproxy error language' => 'Taal foutmeldingen',
> -'advproxy fake referer' => 'Nepverwijzing die wordt gestuurd naar externe sites',
> -'advproxy fake useragent' => 'Nep useragent die wordt gestuurd naar externe sites',
> 'advproxy friday' => 'Vri',
> 'advproxy from' => 'Van',
> 'advproxy hdd cache size' => 'Harddisk cache-grootte (MB)',
> @@ -285,7 +283,6 @@
> 'advproxy off' => 'Proxy uit',
> 'advproxy offline mode' => 'Schakel offline modus in',
> 'advproxy on' => 'Proxy aan',
> -'advproxy privacy' => 'Privacy',
> 'advproxy proxy port' => 'Proxy poort',
> 'advproxy proxy port transparent' => 'Transparante poort',
> 'advproxy ram cache size' => 'Geheugen cache-grootte (MB)',
> diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
> index d3540cc62..a44f43fa4 100644
> --- a/langs/pl/cgi-bin/pl.pl
> +++ b/langs/pl/cgi-bin/pl.pl
> @@ -245,8 +245,6 @@
> 'advproxy errmsg time restriction' => 'Niepoprawne ograniczenia czase',
> 'advproxy error design' => 'Styl komunikatów o błędach',
> 'advproxy error language' => 'Język komunikatów o błędach',
> -'advproxy fake referer' => 'Fake referer submitted to external sites',
> -'advproxy fake useragent' => 'Fake useragent submitted to external sites',
> 'advproxy friday' => 'Pią',
> 'advproxy from' => 'Od',
> 'advproxy hdd cache size' => 'Rozmiar cache na dysku (MB)',
> @@ -274,7 +272,6 @@
> 'advproxy off' => 'Proxy wyłączone',
> 'advproxy offline mode' => 'Włącz tryb offline',
> 'advproxy on' => 'Proxy wł',
> -'advproxy privacy' => 'Prywatność',
> 'advproxy proxy port' => 'Port proxy',
> 'advproxy ram cache size' => 'Rozmiar RAM cache (MB)',
> 'advproxy redirector children' => 'Liczba procesów filtrujących',
> diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
> index 12afa0b92..c0342eb25 100644
> --- a/langs/ru/cgi-bin/ru.pl
> +++ b/langs/ru/cgi-bin/ru.pl
> @@ -243,8 +243,6 @@
> 'advproxy errmsg time restriction' => 'Неверное ограничение по времени',
> 'advproxy error design' => 'Оформление ошибок',
> 'advproxy error language' => 'Язык, на котором отображаются ошибки',
> -'advproxy fake referer' => 'Липовый referer Для внешних сайтов',
> -'advproxy fake useragent' => 'Липовый useragent для внешних сайтов',
> 'advproxy friday' => 'Пт',
> 'advproxy from' => 'C',
> 'advproxy hdd cache size' => 'Размер кэша жёсткого диска (MB)',
> @@ -272,7 +270,6 @@
> 'advproxy off' => 'Proxy выкл',
> 'advproxy offline mode' => 'Включить автономный режим',
> 'advproxy on' => 'Proxy вкл',
> -'advproxy privacy' => 'Приватность',
> 'advproxy proxy port' => 'Порт Proxy',
> 'advproxy ram cache size' => 'Размер памяти кэша (MB)',
> 'advproxy redirector children' => 'Количество фильтруемых процессов',
> diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
> index 83416ebe7..f90bee0ea 100644
> --- a/langs/tr/cgi-bin/tr.pl
> +++ b/langs/tr/cgi-bin/tr.pl
> @@ -318,8 +318,6 @@
> 'advproxy errmsg time restriction' => 'Geçersiz zaman kısıtlaması',
> 'advproxy error design' => 'Hata mesajları tasarımı',
> 'advproxy error language' => 'Hata mesajları dili',
> -'advproxy fake referer' => 'Sahte referansı harici sitelere gönder',
> -'advproxy fake useragent' => 'Sahte yönlendiriciyi harici sitelere gönder',
> 'advproxy friday' => 'Cum',
> 'advproxy from' => 'Başlangıç',
> 'advproxy group access control' => 'Grup tabanlı erişim kontrolü',
> @@ -349,7 +347,6 @@
> 'advproxy off' => 'Vekil sunucu kapalı',
> 'advproxy offline mode' => 'Çevrimdışı yöntemi aktifleştir',
> 'advproxy on' => 'Vekil sunucu',
> -'advproxy privacy' => 'Gizlilik',
> 'advproxy proxy port' => 'Vekil sunucu bağlantı noktası',
> 'advproxy proxy port transparent' => 'Şeffaf bağlantı noktası',
> 'advproxy ram cache size' => 'Bellek önbellek boyutu (MB)',
>
next prev parent reply other threads:[~2021-06-15 20:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-15 20:29 Peter Müller
2021-06-15 20:44 ` Bernhard Bitsch [this message]
2021-06-17 15:55 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=75e45ddd-2e0d-ae6d-ec40-66339f89959e@ipfire.org \
--to=bbitsch@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox