[Privoxy-users] Suppressing/modifying some browser fingerprints (ie. Am I Unique?)
Lee
ler762 at gmail.com
Fri Jul 17 23:54:17 UTC 2020
On 7/17/20, Nicholas Bastin <nick.bastin at gmail.com> wrote:
> On Fri, Jul 17, 2020 at 7:20 PM Lee <ler762 at gmail.com> wrote:
>
>> So it looks like the diagram under 'how it works' at
>> http://www.proxfilter.net/proxhttpsproxy/
>> right?
>>
>> I've done "bump in the wire" stuff before and never really liked it.
>>
>> The big thing I like about doing everything in Privoxy is that I get
>> to check the cert in the browser. Any site where I care about
>> security should show up as having a legit cert; the sites where I'm
>> doing https inspection show up with a cert from "Billy Bob's Beer,
>> Bait and CA Store".
>
> All bumping issues new certificates from your roots, which you of course
> put in your host certificate store, just like you would doing it inside
> privoxy. Your egress bump handler should be validating the actual server
> certificates against your policy (e.g. via an SSL observatory, local hash
> for monitoring deltas, etc.).
That's a problem right there.. my "policy" has been "wherever the
software does". I don't really know how firefox/curl/wget validates
certs :(
> The difference with handling it in a
> pipeline is that you break out the pieces so they can be modified
> independently, meaning you can shift protocols or cipher suites in your
> bump handler without privoxy having to know anything about it, and let
> privoxy do what it does best.
Yes, I see the attraction. But me being able to see which certs are
used for what __in the browser__ is much more attractive to me.
hrmm.. altho it's probably more that I'm not all that confident of my
ability to create and enforce a safe & secure policy for handling TLS
and certificates, so I'm going for ease of validation..
Regards,
Lee
More information about the Privoxy-users
mailing list