> How do they tell the user agent header is fake? I could deliver the AIX
> Netscape useragent string for all requests.
>
They tell by looking at the access pattern or failure modes;
e.g. if you used wget (especially with robots.txt disabled)
to access the the IMDB site, but faked the User Agent, they
would spot the access pattern and probably block your proxy
because of its use of forged headers.
Also, many dynamic sites customise the HTML (a bad thing in my
view, but they do it) so your users might get lots of Javascript
errors if they are not using the same browser.
The other problem with forged headers relates to SSL (you may
be breaching their security policy by using an unauthorised SSL
implementation, e.g. Lynx/SSL). However, the User Agent will be
sent end to end in this case and there is no way you can stop
SSL delivery of the true User Agent at the proxy, without launching
your own man in the middle attack on the link.
I don't know of case involving IP addresses, but do know that
at least one person has asked on the list how to recover the
true source IP address for a proxied connection, so I think there
is some demand to do so.
Received on Wed Sep 01 1999 - 06:24:45 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:48:13 MST