RE: anonymize_headers

From: Dave J Woolley <DJW@dont-contact.us>
Date: Wed, 1 Sep 1999 13:10:39 +0100

> How do they tell the user agent header is fake? I could deliver the AIX
> Netscape useragent string for all requests.
>
        They tell by looking at the access pattern or failure modes;
        e.g. if you used wget (especially with robots.txt disabled)
        to access the the IMDB site, but faked the User Agent, they
        would spot the access pattern and probably block your proxy
        because of its use of forged headers.

        Also, many dynamic sites customise the HTML (a bad thing in my
        view, but they do it) so your users might get lots of Javascript
        errors if they are not using the same browser.

        The other problem with forged headers relates to SSL (you may
        be breaching their security policy by using an unauthorised SSL
        implementation, e.g. Lynx/SSL). However, the User Agent will be
        sent end to end in this case and there is no way you can stop
        SSL delivery of the true User Agent at the proxy, without launching
        your own man in the middle attack on the link.

        I don't know of case involving IP addresses, but do know that
        at least one person has asked on the list how to recover the
        true source IP address for a proxied connection, so I think there
        is some demand to do so.
Received on Wed Sep 01 1999 - 06:24:45 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:48:13 MST