From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bernhard Bitsch To: development@lists.ipfire.org Subject: Re: [PATCH] proxy.cgi: drop options for faking Referer and User-Agent HTTP headers Date: Tue, 15 Jun 2021 22:44:42 +0200 Message-ID: <75e45ddd-2e0d-ae6d-ec40-66339f89959e@ipfire.org> In-Reply-To: <426cc5cd-c490-2a5a-031f-45c10af50cca@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5432171033954405538==" List-Id: --===============5432171033954405538== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Bernhard Bitsch Am 15.06.2021 um 22:29 schrieb Peter M=C3=BCller: > While maintaining privacy when accessing web sites probably has never > been more important than it is today, faking Referer and User-Agent > headers is both obsolete and counterproductive: >=20 > (a) Most web sites require HTTPS, thwarting manipulation attempts to > HTTP headers in transit. Given todays' internet landscape, faking > these headers is unlikely to work for the vast majority of web > sites. >=20 > (b) It is trivial to detect faked HTTP User-Agent headers by obtaining > corresponding browser information via JavaScript. Any difference > most likely indicates (trivial) header manipulation attempts, hence > rendering this feature useless if browsers do not behave in the same > manner, which we cannot control on IPFire. >=20 > (c) Especially static Referer headers make users stick out like a sore > thumb, as nobody else in the world is likely to have the same > Referer set _all the time_. >=20 > Modern browsers attempt to strip sensitive information from Referer > headers, or ditch them completely, particularly to 3rd party sites. >=20 > Given the state of the web ecosystem as we know it today, enforcing > privacy in a centralised manner does not even come close to being > sufficient. Without gaining control over users' browsers, their > settings, and their infrastructure (such as setting up terminal > environments for accessing the web, preventing hardware > fingerprinting), a centralised attempt will at best fail, if not making > things worse, as highlighted in (c). >=20 > Therefore, removing these features from the Squid GUI is the least worse > option we have. We should not give our users a false sense of privacy. >=20 > Signed-off-by: Peter M=C3=BCller > --- > html/cgi-bin/proxy.cgi | 44 ++---------------------------------------- > langs/de/cgi-bin/de.pl | 3 --- > langs/en/cgi-bin/en.pl | 3 --- > langs/es/cgi-bin/es.pl | 3 --- > langs/fr/cgi-bin/fr.pl | 3 --- > langs/it/cgi-bin/it.pl | 3 --- > langs/nl/cgi-bin/nl.pl | 3 --- > langs/pl/cgi-bin/pl.pl | 3 --- > langs/ru/cgi-bin/ru.pl | 3 --- > langs/tr/cgi-bin/tr.pl | 3 --- > 10 files changed, 2 insertions(+), 69 deletions(-) >=20 > diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi > index b6d71db84..b3c2d0713 100644 > --- a/html/cgi-bin/proxy.cgi > +++ b/html/cgi-bin/proxy.cgi > @@ -2,7 +2,7 @@ > #########################################################################= ###### > # = # > # IPFire.org - A linux based firewall = # > -# Copyright (C) 2007-2020 IPFire Team = # > +# Copyright (C) 2007-2021 IPFire Team = # > # = # > # This program is free software: you can redistribute it and/or modify = # > # it under the terms of the GNU General Public License as published by = # > @@ -226,8 +226,6 @@ $proxysettings{'THROTTLING_GREEN_HOST'} =3D 'unlimited'; > $proxysettings{'THROTTLING_BLUE_TOTAL'} =3D 'unlimited'; > $proxysettings{'THROTTLING_BLUE_HOST'} =3D 'unlimited'; > $proxysettings{'ENABLE_MIME_FILTER'} =3D 'off'; > -$proxysettings{'FAKE_USERAGENT'} =3D ''; > -$proxysettings{'FAKE_REFERER'} =3D ''; > $proxysettings{'AUTH_METHOD'} =3D 'none'; > $proxysettings{'AUTH_REALM'} =3D ''; > $proxysettings{'AUTH_MAX_USERIP'} =3D ''; > @@ -1629,21 +1627,6 @@ END > print < > =20 > -
> - > - > - > - > - > - > - > - > - > - > - > - > - > -
$Lang::tr{'advproxy privacy'}
$Lang::tr{'advproxy fake useragent'}:$Lang::tr{'advproxy fake referer'}:
>
> END > ; > @@ -3846,8 +3829,7 @@ END > =20 > print FILE "http_access deny all\n\n"; > =20 > - if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FO= RWARD_VIA'} eq 'off') || > - (!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_R= EFERER'} eq ''))) > + if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FO= RWARD_VIA'} eq 'off')) > { > print FILE "#Strip HTTP Header\n"; > =20 > @@ -3861,31 +3843,9 @@ END > print FILE "request_header_access Via deny all\n"; > print FILE "reply_header_access Via deny all\n"; > } > - if (!($proxysettings{'FAKE_USERAGENT'} eq '')) > - { > - print FILE "request_header_access User-Agent deny all\n"; > - print FILE "reply_header_access User-Agent deny all\n"; > - } > - if (!($proxysettings{'FAKE_REFERER'} eq '')) > - { > - print FILE "request_header_access Referer deny all\n"; > - print FILE "reply_header_access Referer deny all\n"; > - } > =20 > print FILE "\n"; > =20 > - if ((!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FA= KE_REFERER'} eq ''))) > - { > - if (!($proxysettings{'FAKE_USERAGENT'} eq '')) > - { > - print FILE "header_replace User-Agent $proxysettings{'FAKE_USERAGENT'}= \n"; > - } > - if (!($proxysettings{'FAKE_REFERER'} eq '')) > - { > - print FILE "header_replace Referer $proxysettings{'FAKE_REFERER'}\n"; > - } > - print FILE "\n"; > - } > } > =20 > if ($proxysettings{'SUPPRESS_VERSION'} eq 'on') { print FILE "httpd_supp= ress_version_string on\n\n" } > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index eee51575b..0d2228ede 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -326,8 +326,6 @@ > 'advproxy errmsg wpad invalid ip or mask' =3D> 'WPAD: Ung=C3=BCltige IP o= der Subnetz f=C3=BCr ausgenommenes IP-Subnetz', > 'advproxy error design' =3D> 'Design der Fehlermeldungen', > 'advproxy error language' =3D> 'Sprache der Fehlermeldungen', > -'advproxy fake referer' =3D> 'Gef=C3=A4lschter Referer f=C3=BCr externe We= bseiten', > -'advproxy fake useragent' =3D> 'Gef=C3=A4lschter User-Agent f=C3=BCr exter= ne Webseiten', > 'advproxy friday' =3D> 'Fr', > 'advproxy from' =3D> 'Von', > 'advproxy group access control' =3D> 'Gruppenbasierte Zugriffskontrolle', > @@ -357,7 +355,6 @@ > 'advproxy off' =3D> 'Proxy aus', > 'advproxy offline mode' =3D> 'Aktiviere Offline-Modus', > 'advproxy on' =3D> 'Proxy ein', > -'advproxy privacy' =3D> 'Datenschutz', > 'advproxy proxy port' =3D> 'Proxyport', > 'advproxy proxy port transparent' =3D> 'Transparenter Port', > 'advproxy ram cache size' =3D> 'Cachegr=C3=B6=C3=9Fe im Arbeitsspeicher (= MB)', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index a48deeeca..2ba6961f3 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -323,8 +323,6 @@ > 'advproxy errmsg wpad invalid ip or mask' =3D> 'WPAD: Invalid IP or subne= t for excluded IP subnet', > 'advproxy error design' =3D> 'Error messages design', > 'advproxy error language' =3D> 'Error messages language', > -'advproxy fake referer' =3D> 'Fake referer submitted to external sites', > -'advproxy fake useragent' =3D> 'Fake useragent submitted to external sites= ', > 'advproxy friday' =3D> 'Fri', > 'advproxy from' =3D> 'From', > 'advproxy group access control' =3D> 'Group based access control', > @@ -354,7 +352,6 @@ > 'advproxy off' =3D> 'Proxy off', > 'advproxy offline mode' =3D> 'Enable offline mode', > 'advproxy on' =3D> 'Proxy on', > -'advproxy privacy' =3D> 'Privacy', > 'advproxy proxy port' =3D> 'Proxy port', > 'advproxy proxy port transparent' =3D> 'Transparent port', > 'advproxy ram cache size' =3D> 'Memory cache size (MB)', > diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl > index e76c987bc..1080afdea 100644 > --- a/langs/es/cgi-bin/es.pl > +++ b/langs/es/cgi-bin/es.pl > @@ -297,8 +297,6 @@ > 'advproxy errmsg time restriction' =3D> 'Restricci=C3=B3n de tiempo no v= =C3=A1lida', > 'advproxy error design' =3D> 'Dise=C3=B1o de mensajes de error', > 'advproxy error language' =3D> 'Idioma de Mensajes de error', > -'advproxy fake referer' =3D> 'Referer falso enviado a sitios externos', > -'advproxy fake useragent' =3D> 'Useragent falso enviado a sitios externos', > 'advproxy friday' =3D> 'Vie', > 'advproxy from' =3D> 'De', > 'advproxy hdd cache size' =3D> 'Tama=C3=B1o del cach=C3=A9 en disco duro = (MB)', > @@ -326,7 +324,6 @@ > 'advproxy off' =3D> 'Proxy Apagado', > 'advproxy offline mode' =3D> 'Activar modo fuera de l=C3=ADnea', > 'advproxy on' =3D> 'Proxy Encendido', > -'advproxy privacy' =3D> 'Privacidad', > 'advproxy proxy port' =3D> 'Puerto del proxy', > 'advproxy ram cache size' =3D> 'Tama=C3=B1o de memoria cach=C3=A9', > 'advproxy redirector children' =3D> 'N=C3=BAmero de procesos filtrados', > diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl > index 840292f9c..1b6d30111 100644 > --- a/langs/fr/cgi-bin/fr.pl > +++ b/langs/fr/cgi-bin/fr.pl > @@ -330,8 +330,6 @@ > 'advproxy errmsg wpad invalid ip or mask' =3D> 'WPAD : IP ou sous-r=C3=A9= seau invalide pour le sous-r=C3=A9seau IP exclu', > 'advproxy error design' =3D> 'Construction messages erron=C3=A9s ', > 'advproxy error language' =3D> 'Langage des messages erron=C3=A9s ', > -'advproxy fake referer' =3D> 'Fausses r=C3=A9f=C3=A9rences soumises aux si= tes externes ', > -'advproxy fake useragent' =3D> 'Faux useragent soumis aux sites externes ', > 'advproxy friday' =3D> 'Ven', > 'advproxy from' =3D> 'De', > 'advproxy group access control' =3D> 'Contr=C3=B4le d\'acc=C3=A8s bas=C3= =A9 sur le groupe', > @@ -361,7 +359,6 @@ > 'advproxy off' =3D> 'Proxy inactif', > 'advproxy offline mode' =3D> 'Autoriser le mode hors connexion ', > 'advproxy on' =3D> 'Proxy actif', > -'advproxy privacy' =3D> 'Priv=C3=A9', > 'advproxy proxy port' =3D> 'Port proxy ', > 'advproxy proxy port transparent' =3D> 'Port transparent ', > 'advproxy ram cache size' =3D> 'Taille cache m=C3=A9moire (Mo) ', > diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl > index 57585dd27..e9bd157a3 100644 > --- a/langs/it/cgi-bin/it.pl > +++ b/langs/it/cgi-bin/it.pl > @@ -257,8 +257,6 @@ > 'advproxy errmsg time restriction' =3D> 'Invalid time restriction', > 'advproxy error design' =3D> 'Design dei messaggi di errore', > 'advproxy error language' =3D> 'Lingua dei messaggi di errore', > -'advproxy fake referer' =3D> 'Fake referer submitted to external sites', > -'advproxy fake useragent' =3D> 'Fake useragent submitted to external sites= ', > 'advproxy friday' =3D> 'Ven', > 'advproxy from' =3D> 'Da', > 'advproxy hdd cache size' =3D> 'Harddisk cache size (MB)', > @@ -286,7 +284,6 @@ > 'advproxy off' =3D> 'Proxy off', > 'advproxy offline mode' =3D> 'Attiva modalità offline', > 'advproxy on' =3D> 'Proxy Acceso', > -'advproxy privacy' =3D> 'Privacy', > 'advproxy proxy port' =3D> 'Porta Proxy', > 'advproxy proxy port transparent' =3D> 'Porta Transparente', > 'advproxy ram cache size' =3D> 'Dimensione della Memoria di cache (MB)', > diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl > index fb5a932f9..d607e4f89 100644 > --- a/langs/nl/cgi-bin/nl.pl > +++ b/langs/nl/cgi-bin/nl.pl > @@ -256,8 +256,6 @@ > 'advproxy errmsg time restriction' =3D> 'Ongeldige tijdsbeperking', > 'advproxy error design' =3D> 'Opmaak foutmeldingen', > 'advproxy error language' =3D> 'Taal foutmeldingen', > -'advproxy fake referer' =3D> 'Nepverwijzing die wordt gestuurd naar extern= e sites', > -'advproxy fake useragent' =3D> 'Nep useragent die wordt gestuurd naar exte= rne sites', > 'advproxy friday' =3D> 'Vri', > 'advproxy from' =3D> 'Van', > 'advproxy hdd cache size' =3D> 'Harddisk cache-grootte (MB)', > @@ -285,7 +283,6 @@ > 'advproxy off' =3D> 'Proxy uit', > 'advproxy offline mode' =3D> 'Schakel offline modus in', > 'advproxy on' =3D> 'Proxy aan', > -'advproxy privacy' =3D> 'Privacy', > 'advproxy proxy port' =3D> 'Proxy poort', > 'advproxy proxy port transparent' =3D> 'Transparante poort', > 'advproxy ram cache size' =3D> 'Geheugen cache-grootte (MB)', > diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl > index d3540cc62..a44f43fa4 100644 > --- a/langs/pl/cgi-bin/pl.pl > +++ b/langs/pl/cgi-bin/pl.pl > @@ -245,8 +245,6 @@ > 'advproxy errmsg time restriction' =3D> 'Niepoprawne ograniczenia czase', > 'advproxy error design' =3D> 'Styl komunikat=C3=B3w o b=C5=82=C4=99dach', > 'advproxy error language' =3D> 'J=C4=99zyk komunikat=C3=B3w o b=C5=82=C4= =99dach', > -'advproxy fake referer' =3D> 'Fake referer submitted to external sites', > -'advproxy fake useragent' =3D> 'Fake useragent submitted to external sites= ', > 'advproxy friday' =3D> 'Pi=C4=85', > 'advproxy from' =3D> 'Od', > 'advproxy hdd cache size' =3D> 'Rozmiar cache na dysku (MB)', > @@ -274,7 +272,6 @@ > 'advproxy off' =3D> 'Proxy wy=C5=82=C4=85czone', > 'advproxy offline mode' =3D> 'W=C5=82=C4=85cz tryb offline', > 'advproxy on' =3D> 'Proxy w=C5=82', > -'advproxy privacy' =3D> 'Prywatno=C5=9B=C4=87', > 'advproxy proxy port' =3D> 'Port proxy', > 'advproxy ram cache size' =3D> 'Rozmiar RAM cache (MB)', > 'advproxy redirector children' =3D> 'Liczba proces=C3=B3w filtruj=C4=85cy= ch', > diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl > index 12afa0b92..c0342eb25 100644 > --- a/langs/ru/cgi-bin/ru.pl > +++ b/langs/ru/cgi-bin/ru.pl > @@ -243,8 +243,6 @@ > 'advproxy errmsg time restriction' =3D> '=D0=9D=D0=B5=D0=B2=D0=B5=D1=80= =D0=BD=D0=BE=D0=B5 =D0=BE=D0=B3=D1=80=D0=B0=D0=BD=D0=B8=D1=87=D0=B5=D0=BD=D0= =B8=D0=B5 =D0=BF=D0=BE =D0=B2=D1=80=D0=B5=D0=BC=D0=B5=D0=BD=D0=B8', > 'advproxy error design' =3D> '=D0=9E=D1=84=D0=BE=D1=80=D0=BC=D0=BB=D0=B5= =D0=BD=D0=B8=D0=B5 =D0=BE=D1=88=D0=B8=D0=B1=D0=BE=D0=BA', > 'advproxy error language' =3D> '=D0=AF=D0=B7=D1=8B=D0=BA, =D0=BD=D0=B0 = =D0=BA=D0=BE=D1=82=D0=BE=D1=80=D0=BE=D0=BC =D0=BE=D1=82=D0=BE=D0=B1=D1=80=D0= =B0=D0=B6=D0=B0=D1=8E=D1=82=D1=81=D1=8F =D0=BE=D1=88=D0=B8=D0=B1=D0=BA=D0=B8', > -'advproxy fake referer' =3D> '=D0=9B=D0=B8=D0=BF=D0=BE=D0=B2=D1=8B=D0=B9 r= eferer =D0=94=D0=BB=D1=8F =D0=B2=D0=BD=D0=B5=D1=88=D0=BD=D0=B8=D1=85 =D1=81= =D0=B0=D0=B9=D1=82=D0=BE=D0=B2', > -'advproxy fake useragent' =3D> '=D0=9B=D0=B8=D0=BF=D0=BE=D0=B2=D1=8B=D0=B9= useragent =D0=B4=D0=BB=D1=8F =D0=B2=D0=BD=D0=B5=D1=88=D0=BD=D0=B8=D1=85 =D1= =81=D0=B0=D0=B9=D1=82=D0=BE=D0=B2', > 'advproxy friday' =3D> '=D0=9F=D1=82', > 'advproxy from' =3D> 'C', > 'advproxy hdd cache size' =3D> '=D0=A0=D0=B0=D0=B7=D0=BC=D0=B5=D1=80 =D0= =BA=D1=8D=D1=88=D0=B0 =D0=B6=D1=91=D1=81=D1=82=D0=BA=D0=BE=D0=B3=D0=BE =D0=B4= =D0=B8=D1=81=D0=BA=D0=B0 (MB)', > @@ -272,7 +270,6 @@ > 'advproxy off' =3D> 'Proxy =D0=B2=D1=8B=D0=BA=D0=BB', > 'advproxy offline mode' =3D> '=D0=92=D0=BA=D0=BB=D1=8E=D1=87=D0=B8=D1=82= =D1=8C =D0=B0=D0=B2=D1=82=D0=BE=D0=BD=D0=BE=D0=BC=D0=BD=D1=8B=D0=B9 =D1=80=D0= =B5=D0=B6=D0=B8=D0=BC', > 'advproxy on' =3D> 'Proxy =D0=B2=D0=BA=D0=BB', > -'advproxy privacy' =3D> '=D0=9F=D1=80=D0=B8=D0=B2=D0=B0=D1=82=D0=BD=D0=BE= =D1=81=D1=82=D1=8C', > 'advproxy proxy port' =3D> '=D0=9F=D0=BE=D1=80=D1=82 Proxy', > 'advproxy ram cache size' =3D> '=D0=A0=D0=B0=D0=B7=D0=BC=D0=B5=D1=80 =D0= =BF=D0=B0=D0=BC=D1=8F=D1=82=D0=B8 =D0=BA=D1=8D=D1=88=D0=B0 (MB)', > 'advproxy redirector children' =3D> '=D0=9A=D0=BE=D0=BB=D0=B8=D1=87=D0=B5= =D1=81=D1=82=D0=B2=D0=BE =D1=84=D0=B8=D0=BB=D1=8C=D1=82=D1=80=D1=83=D0=B5=D0= =BC=D1=8B=D1=85 =D0=BF=D1=80=D0=BE=D1=86=D0=B5=D1=81=D1=81=D0=BE=D0=B2', > diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl > index 83416ebe7..f90bee0ea 100644 > --- a/langs/tr/cgi-bin/tr.pl > +++ b/langs/tr/cgi-bin/tr.pl > @@ -318,8 +318,6 @@ > 'advproxy errmsg time restriction' =3D> 'Ge=C3=A7ersiz zaman k=C4=B1s=C4= =B1tlamas=C4=B1', > 'advproxy error design' =3D> 'Hata mesajlar=C4=B1 tasar=C4=B1m=C4=B1', > 'advproxy error language' =3D> 'Hata mesajlar=C4=B1 dili', > -'advproxy fake referer' =3D> 'Sahte referans=C4=B1 harici sitelere g=C3=B6= nder', > -'advproxy fake useragent' =3D> 'Sahte y=C3=B6nlendiriciyi harici sitelere = g=C3=B6nder', > 'advproxy friday' =3D> 'Cum', > 'advproxy from' =3D> 'Ba=C5=9Flang=C4=B1=C3=A7', > 'advproxy group access control' =3D> 'Grup tabanl=C4=B1 eri=C5=9Fim kontr= ol=C3=BC', > @@ -349,7 +347,6 @@ > 'advproxy off' =3D> 'Vekil sunucu kapal=C4=B1', > 'advproxy offline mode' =3D> '=C3=87evrimd=C4=B1=C5=9F=C4=B1 y=C3=B6ntemi= aktifle=C5=9Ftir', > 'advproxy on' =3D> 'Vekil sunucu', > -'advproxy privacy' =3D> 'Gizlilik', > 'advproxy proxy port' =3D> 'Vekil sunucu ba=C4=9Flant=C4=B1 noktas=C4=B1', > 'advproxy proxy port transparent' =3D> '=C5=9Eeffaf ba=C4=9Flant=C4=B1 no= ktas=C4=B1', > 'advproxy ram cache size' =3D> 'Bellek =C3=B6nbellek boyutu (MB)', >=20 --===============5432171033954405538==--