While maintaining privacy when accessing web sites probably has never been more important than it is today, faking Referer and User-Agent headers is both obsolete and counterproductive:
(a) Most web sites require HTTPS, thwarting manipulation attempts to HTTP headers in transit. Given todays' internet landscape, faking these headers is unlikely to work for the vast majority of web sites.
(b) It is trivial to detect faked HTTP User-Agent headers by obtaining corresponding browser information via JavaScript. Any difference most likely indicates (trivial) header manipulation attempts, hence rendering this feature useless if browsers do not behave in the same manner, which we cannot control on IPFire.
(c) Especially static Referer headers make users stick out like a sore thumb, as nobody else in the world is likely to have the same Referer set _all the time_.
Modern browsers attempt to strip sensitive information from Referer headers, or ditch them completely, particularly to 3rd party sites.
Given the state of the web ecosystem as we know it today, enforcing privacy in a centralised manner does not even come close to being sufficient. Without gaining control over users' browsers, their settings, and their infrastructure (such as setting up terminal environments for accessing the web, preventing hardware fingerprinting), a centralised attempt will at best fail, if not making things worse, as highlighted in (c).
Therefore, removing these features from the Squid GUI is the least worse option we have. We should not give our users a false sense of privacy.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/proxy.cgi | 44 ++---------------------------------------- langs/de/cgi-bin/de.pl | 3 --- langs/en/cgi-bin/en.pl | 3 --- langs/es/cgi-bin/es.pl | 3 --- langs/fr/cgi-bin/fr.pl | 3 --- langs/it/cgi-bin/it.pl | 3 --- langs/nl/cgi-bin/nl.pl | 3 --- langs/pl/cgi-bin/pl.pl | 3 --- langs/ru/cgi-bin/ru.pl | 3 --- langs/tr/cgi-bin/tr.pl | 3 --- 10 files changed, 2 insertions(+), 69 deletions(-)
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index b6d71db84..b3c2d0713 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -226,8 +226,6 @@ $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited'; $proxysettings{'ENABLE_MIME_FILTER'} = 'off'; -$proxysettings{'FAKE_USERAGENT'} = ''; -$proxysettings{'FAKE_REFERER'} = ''; $proxysettings{'AUTH_METHOD'} = 'none'; $proxysettings{'AUTH_REALM'} = ''; $proxysettings{'AUTH_MAX_USERIP'} = ''; @@ -1629,21 +1627,6 @@ END print <<END </table>
-<hr size='1'> - -<table width='100%'> -<tr> - <td><b>$Lang::tr{'advproxy privacy'}</b></td> -</tr> -<tr> - <td class='base'>$Lang::tr{'advproxy fake useragent'}:</td> - <td class='base'>$Lang::tr{'advproxy fake referer'}:</td> -</tr> -<tr> - <td><input type='text' name='FAKE_USERAGENT' value='$proxysettings{'FAKE_USERAGENT'}' size='40%' /></td> - <td><input type='text' name='FAKE_REFERER' value='$proxysettings{'FAKE_REFERER'}' size='40%' /></td> -</tr> -</table> <hr size='1'> END ; @@ -3846,8 +3829,7 @@ END
print FILE "http_access deny all\n\n";
- if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off') || - (!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq ''))) + if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off')) { print FILE "#Strip HTTP Header\n";
@@ -3861,31 +3843,9 @@ END print FILE "request_header_access Via deny all\n"; print FILE "reply_header_access Via deny all\n"; } - if (!($proxysettings{'FAKE_USERAGENT'} eq '')) - { - print FILE "request_header_access User-Agent deny all\n"; - print FILE "reply_header_access User-Agent deny all\n"; - } - if (!($proxysettings{'FAKE_REFERER'} eq '')) - { - print FILE "request_header_access Referer deny all\n"; - print FILE "reply_header_access Referer deny all\n"; - }
print FILE "\n";
- if ((!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq ''))) - { - if (!($proxysettings{'FAKE_USERAGENT'} eq '')) - { - print FILE "header_replace User-Agent $proxysettings{'FAKE_USERAGENT'}\n"; - } - if (!($proxysettings{'FAKE_REFERER'} eq '')) - { - print FILE "header_replace Referer $proxysettings{'FAKE_REFERER'}\n"; - } - print FILE "\n"; - } }
if ($proxysettings{'SUPPRESS_VERSION'} eq 'on') { print FILE "httpd_suppress_version_string on\n\n" } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index eee51575b..0d2228ede 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -326,8 +326,6 @@ 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Ungültige IP oder Subnetz für ausgenommenes IP-Subnetz', 'advproxy error design' => 'Design der Fehlermeldungen', 'advproxy error language' => 'Sprache der Fehlermeldungen', -'advproxy fake referer' => 'Gefälschter Referer für externe Webseiten', -'advproxy fake useragent' => 'Gefälschter User-Agent für externe Webseiten', 'advproxy friday' => 'Fr', 'advproxy from' => 'Von', 'advproxy group access control' => 'Gruppenbasierte Zugriffskontrolle', @@ -357,7 +355,6 @@ 'advproxy off' => 'Proxy aus', 'advproxy offline mode' => 'Aktiviere Offline-Modus', 'advproxy on' => 'Proxy ein', -'advproxy privacy' => 'Datenschutz', 'advproxy proxy port' => 'Proxyport', 'advproxy proxy port transparent' => 'Transparenter Port', 'advproxy ram cache size' => 'Cachegröße im Arbeitsspeicher (MB)', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a48deeeca..2ba6961f3 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -323,8 +323,6 @@ 'advproxy errmsg wpad invalid ip or mask' => 'WPAD: Invalid IP or subnet for excluded IP subnet', 'advproxy error design' => 'Error messages design', 'advproxy error language' => 'Error messages language', -'advproxy fake referer' => 'Fake referer submitted to external sites', -'advproxy fake useragent' => 'Fake useragent submitted to external sites', 'advproxy friday' => 'Fri', 'advproxy from' => 'From', 'advproxy group access control' => 'Group based access control', @@ -354,7 +352,6 @@ 'advproxy off' => 'Proxy off', 'advproxy offline mode' => 'Enable offline mode', 'advproxy on' => 'Proxy on', -'advproxy privacy' => 'Privacy', 'advproxy proxy port' => 'Proxy port', 'advproxy proxy port transparent' => 'Transparent port', 'advproxy ram cache size' => 'Memory cache size (MB)', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index e76c987bc..1080afdea 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -297,8 +297,6 @@ 'advproxy errmsg time restriction' => 'Restricción de tiempo no válida', 'advproxy error design' => 'Diseño de mensajes de error', 'advproxy error language' => 'Idioma de Mensajes de error', -'advproxy fake referer' => 'Referer falso enviado a sitios externos', -'advproxy fake useragent' => 'Useragent falso enviado a sitios externos', 'advproxy friday' => 'Vie', 'advproxy from' => 'De', 'advproxy hdd cache size' => 'Tamaño del caché en disco duro (MB)', @@ -326,7 +324,6 @@ 'advproxy off' => 'Proxy Apagado', 'advproxy offline mode' => 'Activar modo fuera de línea', 'advproxy on' => 'Proxy Encendido', -'advproxy privacy' => 'Privacidad', 'advproxy proxy port' => 'Puerto del proxy', 'advproxy ram cache size' => 'Tamaño de memoria caché', 'advproxy redirector children' => 'Número de procesos filtrados', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index 840292f9c..1b6d30111 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -330,8 +330,6 @@ 'advproxy errmsg wpad invalid ip or mask' => 'WPAD : IP ou sous-réseau invalide pour le sous-réseau IP exclu', 'advproxy error design' => 'Construction messages erronés ', 'advproxy error language' => 'Langage des messages erronés ', -'advproxy fake referer' => 'Fausses références soumises aux sites externes ', -'advproxy fake useragent' => 'Faux useragent soumis aux sites externes ', 'advproxy friday' => 'Ven', 'advproxy from' => 'De', 'advproxy group access control' => 'Contrôle d'accès basé sur le groupe', @@ -361,7 +359,6 @@ 'advproxy off' => 'Proxy inactif', 'advproxy offline mode' => 'Autoriser le mode hors connexion ', 'advproxy on' => 'Proxy actif', -'advproxy privacy' => 'Privé', 'advproxy proxy port' => 'Port proxy ', 'advproxy proxy port transparent' => 'Port transparent ', 'advproxy ram cache size' => 'Taille cache mémoire (Mo) ', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 57585dd27..e9bd157a3 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -257,8 +257,6 @@ 'advproxy errmsg time restriction' => 'Invalid time restriction', 'advproxy error design' => 'Design dei messaggi di errore', 'advproxy error language' => 'Lingua dei messaggi di errore', -'advproxy fake referer' => 'Fake referer submitted to external sites', -'advproxy fake useragent' => 'Fake useragent submitted to external sites', 'advproxy friday' => 'Ven', 'advproxy from' => 'Da', 'advproxy hdd cache size' => 'Harddisk cache size (MB)', @@ -286,7 +284,6 @@ 'advproxy off' => 'Proxy off', 'advproxy offline mode' => 'Attiva modalità offline', 'advproxy on' => 'Proxy Acceso', -'advproxy privacy' => 'Privacy', 'advproxy proxy port' => 'Porta Proxy', 'advproxy proxy port transparent' => 'Porta Transparente', 'advproxy ram cache size' => 'Dimensione della Memoria di cache (MB)', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index fb5a932f9..d607e4f89 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -256,8 +256,6 @@ 'advproxy errmsg time restriction' => 'Ongeldige tijdsbeperking', 'advproxy error design' => 'Opmaak foutmeldingen', 'advproxy error language' => 'Taal foutmeldingen', -'advproxy fake referer' => 'Nepverwijzing die wordt gestuurd naar externe sites', -'advproxy fake useragent' => 'Nep useragent die wordt gestuurd naar externe sites', 'advproxy friday' => 'Vri', 'advproxy from' => 'Van', 'advproxy hdd cache size' => 'Harddisk cache-grootte (MB)', @@ -285,7 +283,6 @@ 'advproxy off' => 'Proxy uit', 'advproxy offline mode' => 'Schakel offline modus in', 'advproxy on' => 'Proxy aan', -'advproxy privacy' => 'Privacy', 'advproxy proxy port' => 'Proxy poort', 'advproxy proxy port transparent' => 'Transparante poort', 'advproxy ram cache size' => 'Geheugen cache-grootte (MB)', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index d3540cc62..a44f43fa4 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -245,8 +245,6 @@ 'advproxy errmsg time restriction' => 'Niepoprawne ograniczenia czase', 'advproxy error design' => 'Styl komunikatów o błędach', 'advproxy error language' => 'Język komunikatów o błędach', -'advproxy fake referer' => 'Fake referer submitted to external sites', -'advproxy fake useragent' => 'Fake useragent submitted to external sites', 'advproxy friday' => 'Pią', 'advproxy from' => 'Od', 'advproxy hdd cache size' => 'Rozmiar cache na dysku (MB)', @@ -274,7 +272,6 @@ 'advproxy off' => 'Proxy wyłączone', 'advproxy offline mode' => 'Włącz tryb offline', 'advproxy on' => 'Proxy wł', -'advproxy privacy' => 'Prywatność', 'advproxy proxy port' => 'Port proxy', 'advproxy ram cache size' => 'Rozmiar RAM cache (MB)', 'advproxy redirector children' => 'Liczba procesów filtrujących', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 12afa0b92..c0342eb25 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -243,8 +243,6 @@ 'advproxy errmsg time restriction' => 'Неверное ограничение по времени', 'advproxy error design' => 'Оформление ошибок', 'advproxy error language' => 'Язык, на котором отображаются ошибки', -'advproxy fake referer' => 'Липовый referer Для внешних сайтов', -'advproxy fake useragent' => 'Липовый useragent для внешних сайтов', 'advproxy friday' => 'Пт', 'advproxy from' => 'C', 'advproxy hdd cache size' => 'Размер кэша жёсткого диска (MB)', @@ -272,7 +270,6 @@ 'advproxy off' => 'Proxy выкл', 'advproxy offline mode' => 'Включить автономный режим', 'advproxy on' => 'Proxy вкл', -'advproxy privacy' => 'Приватность', 'advproxy proxy port' => 'Порт Proxy', 'advproxy ram cache size' => 'Размер памяти кэша (MB)', 'advproxy redirector children' => 'Количество фильтруемых процессов', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 83416ebe7..f90bee0ea 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -318,8 +318,6 @@ 'advproxy errmsg time restriction' => 'Geçersiz zaman kısıtlaması', 'advproxy error design' => 'Hata mesajları tasarımı', 'advproxy error language' => 'Hata mesajları dili', -'advproxy fake referer' => 'Sahte referansı harici sitelere gönder', -'advproxy fake useragent' => 'Sahte yönlendiriciyi harici sitelere gönder', 'advproxy friday' => 'Cum', 'advproxy from' => 'Başlangıç', 'advproxy group access control' => 'Grup tabanlı erişim kontrolü', @@ -349,7 +347,6 @@ 'advproxy off' => 'Vekil sunucu kapalı', 'advproxy offline mode' => 'Çevrimdışı yöntemi aktifleştir', 'advproxy on' => 'Vekil sunucu', -'advproxy privacy' => 'Gizlilik', 'advproxy proxy port' => 'Vekil sunucu bağlantı noktası', 'advproxy proxy port transparent' => 'Şeffaf bağlantı noktası', 'advproxy ram cache size' => 'Bellek önbellek boyutu (MB)',