Reviewed-by: Bernhard Bitsch Am 15.06.2021 um 22:29 schrieb Peter Müller: > While maintaining privacy when accessing web sites probably has never > been more important than it is today, faking Referer and User-Agent > headers is both obsolete and counterproductive: > > (a) Most web sites require HTTPS, thwarting manipulation attempts to > HTTP headers in transit. Given todays' internet landscape, faking > these headers is unlikely to work for the vast majority of web > sites. > > (b) It is trivial to detect faked HTTP User-Agent headers by obtaining > corresponding browser information via JavaScript. Any difference > most likely indicates (trivial) header manipulation attempts, hence > rendering this feature useless if browsers do not behave in the same > manner, which we cannot control on IPFire. > > (c) Especially static Referer headers make users stick out like a sore > thumb, as nobody else in the world is likely to have the same > Referer set _all the time_. > > Modern browsers attempt to strip sensitive information from Referer > headers, or ditch them completely, particularly to 3rd party sites. > > Given the state of the web ecosystem as we know it today, enforcing > privacy in a centralised manner does not even come close to being > sufficient. Without gaining control over users' browsers, their > settings, and their infrastructure (such as setting up terminal > environments for accessing the web, preventing hardware > fingerprinting), a centralised attempt will at best fail, if not making > things worse, as highlighted in (c). > > Therefore, removing these features from the Squid GUI is the least worse > option we have. We should not give our users a false sense of privacy. > > Signed-off-by: Peter Müller > --- > html/cgi-bin/proxy.cgi | 44 ++---------------------------------------- > langs/de/cgi-bin/de.pl | 3 --- > langs/en/cgi-bin/en.pl | 3 --- > langs/es/cgi-bin/es.pl | 3 --- > langs/fr/cgi-bin/fr.pl | 3 --- > langs/it/cgi-bin/it.pl | 3 --- > langs/nl/cgi-bin/nl.pl | 3 --- > langs/pl/cgi-bin/pl.pl | 3 --- > langs/ru/cgi-bin/ru.pl | 3 --- > langs/tr/cgi-bin/tr.pl | 3 --- > 10 files changed, 2 insertions(+), 69 deletions(-) > > diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi > index b6d71db84..b3c2d0713 100644 > --- a/html/cgi-bin/proxy.cgi > +++ b/html/cgi-bin/proxy.cgi > @@ -2,7 +2,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2020 IPFire Team # > +# Copyright (C) 2007-2021 IPFire Team # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -226,8 +226,6 @@ $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited'; > $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited'; > $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited'; > $proxysettings{'ENABLE_MIME_FILTER'} = 'off'; > -$proxysettings{'FAKE_USERAGENT'} = ''; > -$proxysettings{'FAKE_REFERER'} = ''; > $proxysettings{'AUTH_METHOD'} = 'none'; > $proxysettings{'AUTH_REALM'} = ''; > $proxysettings{'AUTH_MAX_USERIP'} = ''; > @@ -1629,21 +1627,6 @@ END > print < > > -
> - > - > - > - > - > - > - > - > - > - > - > - > - > -
$Lang::tr{'advproxy privacy'}
$Lang::tr{'advproxy fake useragent'}:$Lang::tr{'advproxy fake referer'}:
>
> END > ; > @@ -3846,8 +3829,7 @@ END > > print FILE "http_access deny all\n\n"; > > - if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off') || > - (!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq ''))) > + if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off')) > { > print FILE "#Strip HTTP Header\n"; > > @@ -3861,31 +3843,9 @@ END > print FILE "request_header_access Via deny all\n"; > print FILE "reply_header_access Via deny all\n"; > } > - if (!($proxysettings{'FAKE_USERAGENT'} eq '')) > - { > - print FILE "request_header_access User-Agent deny all\n"; > - print FILE "reply_header_access User-Agent deny all\n"; > - } > - if (!($proxysettings{'FAKE_REFERER'} eq '')) > - { > - print FILE "request_header_access Referer deny all\n"; > - print FILE "reply_header_access Referer deny all\n"; > - } > > print FILE "\n"; > > - if ((!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq ''))) > - { > - if (!($proxysettings{'FAKE_USERAGENT'} eq '')) > - { > - print FILE "header_replace User-Agent $proxysettings{'FAKE_USERAGENT'}\n"; > - } > - if (!($proxysettings{'FAKE_REFERER'} eq '')) > - { > - print FILE "header_replace Referer $proxysettings{'FAKE_REFERER'}\n"; > - } > - print FILE "\n"; > - } > } > > if ($proxysettings{'SUPPRESS_VERSION'} eq 'on') { print FILE "httpd_suppress_version_string on\n\n" } > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index eee51575b..0d2228ede 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -326,8 +326,6 @@ > 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Ungültige IP oder Subnetz für ausgenommenes IP-Subnetz', > 'advproxy error design' => 'Design der Fehlermeldungen', > 'advproxy error language' => 'Sprache der Fehlermeldungen', > -'advproxy fake referer' => 'Gefälschter Referer für externe Webseiten', > -'advproxy fake useragent' => 'Gefälschter User-Agent für externe Webseiten', > 'advproxy friday' => 'Fr', > 'advproxy from' => 'Von', > 'advproxy group access control' => 'Gruppenbasierte Zugriffskontrolle', > @@ -357,7 +355,6 @@ > 'advproxy off' => 'Proxy aus', > 'advproxy offline mode' => 'Aktiviere Offline-Modus', > 'advproxy on' => 'Proxy ein', > -'advproxy privacy' => 'Datenschutz', > 'advproxy proxy port' => 'Proxyport', > 'advproxy proxy port transparent' => 'Transparenter Port', > 'advproxy ram cache size' => 'Cachegröße im Arbeitsspeicher (MB)', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index a48deeeca..2ba6961f3 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -323,8 +323,6 @@ > 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Invalid IP or subnet for excluded IP subnet', > 'advproxy error design' => 'Error messages design', > 'advproxy error language' => 'Error messages language', > -'advproxy fake referer' => 'Fake referer submitted to external sites', > -'advproxy fake useragent' => 'Fake useragent submitted to external sites', > 'advproxy friday' => 'Fri', > 'advproxy from' => 'From', > 'advproxy group access control' => 'Group based access control', > @@ -354,7 +352,6 @@ > 'advproxy off' => 'Proxy off', > 'advproxy offline mode' => 'Enable offline mode', > 'advproxy on' => 'Proxy on', > -'advproxy privacy' => 'Privacy', > 'advproxy proxy port' => 'Proxy port', > 'advproxy proxy port transparent' => 'Transparent port', > 'advproxy ram cache size' => 'Memory cache size (MB)', > diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl > index e76c987bc..1080afdea 100644 > --- a/langs/es/cgi-bin/es.pl > +++ b/langs/es/cgi-bin/es.pl > @@ -297,8 +297,6 @@ > 'advproxy errmsg time restriction' => 'Restricción de tiempo no válida', > 'advproxy error design' => 'Diseño de mensajes de error', > 'advproxy error language' => 'Idioma de Mensajes de error', > -'advproxy fake referer' => 'Referer falso enviado a sitios externos', > -'advproxy fake useragent' => 'Useragent falso enviado a sitios externos', > 'advproxy friday' => 'Vie', > 'advproxy from' => 'De', > 'advproxy hdd cache size' => 'Tamaño del caché en disco duro (MB)', > @@ -326,7 +324,6 @@ > 'advproxy off' => 'Proxy Apagado', > 'advproxy offline mode' => 'Activar modo fuera de línea', > 'advproxy on' => 'Proxy Encendido', > -'advproxy privacy' => 'Privacidad', > 'advproxy proxy port' => 'Puerto del proxy', > 'advproxy ram cache size' => 'Tamaño de memoria caché', > 'advproxy redirector children' => 'Número de procesos filtrados', > diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl > index 840292f9c..1b6d30111 100644 > --- a/langs/fr/cgi-bin/fr.pl > +++ b/langs/fr/cgi-bin/fr.pl > @@ -330,8 +330,6 @@ > 'advproxy errmsg wpad invalid ip or mask' => 'WPAD : IP ou sous-réseau invalide pour le sous-réseau IP exclu', > 'advproxy error design' => 'Construction messages erronés ', > 'advproxy error language' => 'Langage des messages erronés ', > -'advproxy fake referer' => 'Fausses références soumises aux sites externes ', > -'advproxy fake useragent' => 'Faux useragent soumis aux sites externes ', > 'advproxy friday' => 'Ven', > 'advproxy from' => 'De', > 'advproxy group access control' => 'Contrôle d\'accès basé sur le groupe', > @@ -361,7 +359,6 @@ > 'advproxy off' => 'Proxy inactif', > 'advproxy offline mode' => 'Autoriser le mode hors connexion ', > 'advproxy on' => 'Proxy actif', > -'advproxy privacy' => 'Privé', > 'advproxy proxy port' => 'Port proxy ', > 'advproxy proxy port transparent' => 'Port transparent ', > 'advproxy ram cache size' => 'Taille cache mémoire (Mo) ', > diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl > index 57585dd27..e9bd157a3 100644 > --- a/langs/it/cgi-bin/it.pl > +++ b/langs/it/cgi-bin/it.pl > @@ -257,8 +257,6 @@ > 'advproxy errmsg time restriction' => 'Invalid time restriction', > 'advproxy error design' => 'Design dei messaggi di errore', > 'advproxy error language' => 'Lingua dei messaggi di errore', > -'advproxy fake referer' => 'Fake referer submitted to external sites', > -'advproxy fake useragent' => 'Fake useragent submitted to external sites', > 'advproxy friday' => 'Ven', > 'advproxy from' => 'Da', > 'advproxy hdd cache size' => 'Harddisk cache size (MB)', > @@ -286,7 +284,6 @@ > 'advproxy off' => 'Proxy off', > 'advproxy offline mode' => 'Attiva modalità offline', > 'advproxy on' => 'Proxy Acceso', > -'advproxy privacy' => 'Privacy', > 'advproxy proxy port' => 'Porta Proxy', > 'advproxy proxy port transparent' => 'Porta Transparente', > 'advproxy ram cache size' => 'Dimensione della Memoria di cache (MB)', > diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl > index fb5a932f9..d607e4f89 100644 > --- a/langs/nl/cgi-bin/nl.pl > +++ b/langs/nl/cgi-bin/nl.pl > @@ -256,8 +256,6 @@ > 'advproxy errmsg time restriction' => 'Ongeldige tijdsbeperking', > 'advproxy error design' => 'Opmaak foutmeldingen', > 'advproxy error language' => 'Taal foutmeldingen', > -'advproxy fake referer' => 'Nepverwijzing die wordt gestuurd naar externe sites', > -'advproxy fake useragent' => 'Nep useragent die wordt gestuurd naar externe sites', > 'advproxy friday' => 'Vri', > 'advproxy from' => 'Van', > 'advproxy hdd cache size' => 'Harddisk cache-grootte (MB)', > @@ -285,7 +283,6 @@ > 'advproxy off' => 'Proxy uit', > 'advproxy offline mode' => 'Schakel offline modus in', > 'advproxy on' => 'Proxy aan', > -'advproxy privacy' => 'Privacy', > 'advproxy proxy port' => 'Proxy poort', > 'advproxy proxy port transparent' => 'Transparante poort', > 'advproxy ram cache size' => 'Geheugen cache-grootte (MB)', > diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl > index d3540cc62..a44f43fa4 100644 > --- a/langs/pl/cgi-bin/pl.pl > +++ b/langs/pl/cgi-bin/pl.pl > @@ -245,8 +245,6 @@ > 'advproxy errmsg time restriction' => 'Niepoprawne ograniczenia czase', > 'advproxy error design' => 'Styl komunikatów o błędach', > 'advproxy error language' => 'Język komunikatów o błędach', > -'advproxy fake referer' => 'Fake referer submitted to external sites', > -'advproxy fake useragent' => 'Fake useragent submitted to external sites', > 'advproxy friday' => 'Pią', > 'advproxy from' => 'Od', > 'advproxy hdd cache size' => 'Rozmiar cache na dysku (MB)', > @@ -274,7 +272,6 @@ > 'advproxy off' => 'Proxy wyłączone', > 'advproxy offline mode' => 'Włącz tryb offline', > 'advproxy on' => 'Proxy wł', > -'advproxy privacy' => 'Prywatność', > 'advproxy proxy port' => 'Port proxy', > 'advproxy ram cache size' => 'Rozmiar RAM cache (MB)', > 'advproxy redirector children' => 'Liczba procesów filtrujących', > diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl > index 12afa0b92..c0342eb25 100644 > --- a/langs/ru/cgi-bin/ru.pl > +++ b/langs/ru/cgi-bin/ru.pl > @@ -243,8 +243,6 @@ > 'advproxy errmsg time restriction' => 'Неверное ограничение по времени', > 'advproxy error design' => 'Оформление ошибок', > 'advproxy error language' => 'Язык, на котором отображаются ошибки', > -'advproxy fake referer' => 'Липовый referer Для внешних сайтов', > -'advproxy fake useragent' => 'Липовый useragent для внешних сайтов', > 'advproxy friday' => 'Пт', > 'advproxy from' => 'C', > 'advproxy hdd cache size' => 'Размер кэша жёсткого диска (MB)', > @@ -272,7 +270,6 @@ > 'advproxy off' => 'Proxy выкл', > 'advproxy offline mode' => 'Включить автономный режим', > 'advproxy on' => 'Proxy вкл', > -'advproxy privacy' => 'Приватность', > 'advproxy proxy port' => 'Порт Proxy', > 'advproxy ram cache size' => 'Размер памяти кэша (MB)', > 'advproxy redirector children' => 'Количество фильтруемых процессов', > diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl > index 83416ebe7..f90bee0ea 100644 > --- a/langs/tr/cgi-bin/tr.pl > +++ b/langs/tr/cgi-bin/tr.pl > @@ -318,8 +318,6 @@ > 'advproxy errmsg time restriction' => 'Geçersiz zaman kısıtlaması', > 'advproxy error design' => 'Hata mesajları tasarımı', > 'advproxy error language' => 'Hata mesajları dili', > -'advproxy fake referer' => 'Sahte referansı harici sitelere gönder', > -'advproxy fake useragent' => 'Sahte yönlendiriciyi harici sitelere gönder', > 'advproxy friday' => 'Cum', > 'advproxy from' => 'Başlangıç', > 'advproxy group access control' => 'Grup tabanlı erişim kontrolü', > @@ -349,7 +347,6 @@ > 'advproxy off' => 'Vekil sunucu kapalı', > 'advproxy offline mode' => 'Çevrimdışı yöntemi aktifleştir', > 'advproxy on' => 'Vekil sunucu', > -'advproxy privacy' => 'Gizlilik', > 'advproxy proxy port' => 'Vekil sunucu bağlantı noktası', > 'advproxy proxy port transparent' => 'Şeffaf bağlantı noktası', > 'advproxy ram cache size' => 'Bellek önbellek boyutu (MB)', >