[Privoxy-users] Privoxy-users Digest, Vol 41, Issue 5

Sat Jul 18 02:20:59 UTC 2020

Hi, I would like to mention a pretty good filter I ran across over on the
prxbx.com Privoxy forum.  There is some pretty good stuff in there.

Search by member for Cattleyavns or Faxopita. (If either of you are
reading, please ping me!)   Both of them have some really good ideas and
interesting filters.  One filter I have used it to block
canvas/fingerprinting and it seems to work well.  (tested on browserleaks)..

When you have HTTPS inspection configured.  Setup a filter with these
commands (credit Cattleyavns)

s@(\w\.getImageData\((.*?)\));|(\w\.toDataURL\((.*?)\));@@

To see the hits in the logfie enable debug 64 regular expression filters.
It will look something like this.

2020-06-19 09:51:43.594 80309ab00 Re-Filter: filtering
browserleaks.com/js/default.js?v=14554822 (size 10445) with
'privacy.canvasblocker' produced 1 hits (new size 10079).
2020-06-19 09:51:43.666 802ec5800 Re-Filter: filtering
browserleaks.com/js/canvas.js?v=14554822 (size 30143) with
'privacy.canvasblocker' produced 1 hits (new size 29866).

To get this, you will have to enable in config:

debug 64 # debug regular expression filters

Good luck and welcome to the battle for a reasonable level of security and
privacy..

Lee, "Bill Bob's Bait, Beer, and CA store"  gave me a good laugh, thanks!

Robert

On Fri, Jul 17, 2020 at 6:54 PM <privoxy-users-request at lists.privoxy.org>
wrote:

> Send Privoxy-users mailing list submissions to
>         privoxy-users at lists.privoxy.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.privoxy.org/mailman/listinfo/privoxy-users
> or, via email, send a message with subject or body 'help' to
>         privoxy-users-request at lists.privoxy.org
>
> You can reach the person managing the list at
>         privoxy-users-owner at lists.privoxy.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Privoxy-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Same URL in multiple tabs, but only 1st gets logged. Why
>       not all? (Lee)
>    2. Re: Suppressing/modifying some browser fingerprints (ie. Am I
>       Unique?) (Lee)
>    3. Re: Suppressing/modifying some browser fingerprints (ie. Am I
>       Unique?) (U.Mutlu)
>    4. Re: Suppressing/modifying some browser fingerprints (ie. Am I
>       Unique?) (Lee)
>    5. Re: Suppressing/modifying some browser fingerprints (ie. Am I
>       Unique?) (Lee)
>    6. Re: Suppressing/modifying some browser fingerprints (ie. Am I
>       Unique?) (Lee)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 17 Jul 2020 10:06:59 -0400
> From: Lee <ler762 at gmail.com>
> To: "U.Mutlu" <um at mutluit.com>
> Cc: privoxy-users at lists.privoxy.org
> Subject: Re: [Privoxy-users] Same URL in multiple tabs, but only 1st
>         gets logged. Why not all?
> Message-ID:
>         <
> CAD8GWssMLRC+6uGX0W9kJi6kWq0Z8J_ve7YdEoawsTCea5imMA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On 7/15/20, U.Mutlu <um at mutluit.com> wrote:
> > Hi all,
> > let's say I'm on a website, and in a new tab or window of the
> > same browser I'm opening the same URL anew.
> > But this time no logging of the URL happens.
> > Is this by design (maybe some kind of caching) or maybe a bug?
>
> I think it's a by-product of https processing -- Privoxy can't look at
> the encrypted traffic, so nothing is logged if multiple requests go
> over the same connection.
>
> I set all the timeouts in the privoxy config to
> keep-alive-timeout 0
> default-server-timeout 0
> socket-timeout 2
>
> and as long as I wait at least 2 seconds between requests everything was
> logged.
>
> Lee
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 17 Jul 2020 11:58:28 -0400
> From: Lee <ler762 at gmail.com>
> To: "U.Mutlu" <um at mutluit.com>
> Cc: privoxy-users at lists.privoxy.org
> Subject: Re: [Privoxy-users] Suppressing/modifying some browser
>         fingerprints (ie. Am I Unique?)
> Message-ID:
>         <CAD8GWsv3W4MQCkZXyWQHnAuSOciYEZP5ZUvs013LeBdNSTh=
> Zw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On 7/15/20, U.Mutlu <um at mutluit.com> wrote:
> > Ian Silvester wrote on 07/15/2020 03:02 PM:
> >>
> >> Thinking further about Javascript, perhaps one could create a custom
> rule
> >> to block whichever Javascript functions are leveraged to sniff the more
> >> unique elements that comprise the fingerprint; if you do take on this
> and
> >> perform the research into the appropriate strings to look for please do
> >> report back to this list.
> >
> > Thanks, yes, I'm interessted in finding a solution especially for the
> > Javascript functions. Best would be to have the choice to allow/deny
> > each single of these JS queries, optionally building own strings to send
> > back.
> >
> > I must admit I'm new to internals of privoxy, but I can say I'm highly
> > motivated, if necessary even ready to do do some C coding in the sources.
> > Unfortunately I'm not an expert in HTML nor in Javascript nor JS DOM
> > nor privoxy nor privacy etc., but I'm confident I can master them :-)
> >
> > When I saw all the tracking/spying and of course also the nasty ads,
> > I realized that I need to find a generic solution for this problem.
>
> I'm not sure what you consider 'this problem' since you don't talk
> about IP addresses and  'Am I Unique?' seems to be an issue only if
> you're somehow hiding your IP address from the web servers (ie. using
> TOR or some other VPN that mixes your traffic in with lots of other
> people's traffic)
>
> So if you're trying to keep your private web browsing private, I'd
> suggest using the TOR Browser & leaving it at that.
>
> Privoxy used to be amazing, and then most everything web switched to
> https.  Which is much better than doing clear-text, but bad in that
> privoxy can't do anything with encrypted traffic except pass it along.
> So privoxy became pretty the emuch a glorified hosts file.  Until
> recently..
>
> Privoxy now has the ability to act as a man-in-the-middle (MITM) and
> see all the clear-text traffic coming and going :)  But it's not a
> released product yet, so you have to build the latest development
> version of privoxy from git -- see
> https://www.privoxy.org/user-manual/installation.html#INSTALLATION-SOURCE
>
> You'll also need mbed-tls for the MITM functionality -- I grabbed the
> 2.16.7 version:
> https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.16.7
>
> > My current solution is IMO not that bad: in firewall blocking everything
> > by default for both inbound _and_ outbound, and only on demand allowing
> > the minimum required URLs (ie. their address parts) necessary for a site
> > to function. By this method all external trackers of that site get
> > automatically blocked. Of course it requires some work and experimenting
> > for finding out the right addresses (from those inside the HTML) and
> > putting
> > them into the firewall and trying & retrying...
> >
> > This works well I can say, IMO better (more restrictive) than say the
> > DNS-based concept of Pi-hole, but this alone is of course not enough,
> > one _also needs_ privoxy to modify the HTML data.
>
> Once you have the ability to do https-inspection it's almost like
> you've been time-warped back to 2010 - all the traffic is clear-text,
> and you can modify most anything 'on-the fly' :)
>
> Regards,
> Lee
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 17 Jul 2020 20:40:56 +0200
> From: "U.Mutlu" <um at mutluit.com>
> To: privoxy-users at lists.privoxy.org
> Subject: Re: [Privoxy-users] Suppressing/modifying some browser
>         fingerprints (ie. Am I Unique?)
> Message-ID: <5F11F0B8.7090904 at mutluit.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Lee wrote on 07/17/2020 05:58 PM:
> >
> > So if you're trying to keep your private web browsing private, I'd
> > suggest using the TOR Browser & leaving it at that.
>
> Hi Lee, thx.
> My IP is my least concern. No, I don't need to hide my IP by using Tor etc.
> I just want to block all ads and all the spying trackers inside the HTML,
> as well a solution for the said HTML and JS queries about my system
> that can serve as a unique identifier for all the other sites one visits.
>
> I'm sure these companies and agencies are commercially exchanging
> all the data they collect about the system and the person behind it.
>
> And: goverment spying its citzens by installing a trojan is becoming
> more and more a big problem in this f*cking Orwellian #1 EU country :-(
> I suspect they somehow install it remotely via the normal HTML traffic.
> Such web filtering plus firewall filtering could possibly prevent it I
> think &
> hope.
> Don't get me wrong: I really don't have anything to hide, but I don't
> want to be a victim of such totalitarian police state methods.
> IMO, most of the leading western countries nowadays have become a
> "land of confusion, lies, and oppression"... :-(
>
> > Privoxy now has the ability to act as a man-in-the-middle (MITM) and
> > see all the clear-text traffic coming and going :)  But it's not a
> > released product yet, so you have to build the latest development
> > version of privoxy from git -- see
> >
> https://www.privoxy.org/user-manual/installation.html#INSTALLATION-SOURCE
> >
> > You'll also need mbed-tls for the MITM functionality -- I grabbed the
> > 2.16.7 version:
> > https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.16.7
> >
> > Once you have the ability to do https-inspection it's almost like
> > you've been time-warped back to 2010 - all the traffic is clear-text,
> > and you can modify most anything 'on-the fly' :)
>
> This is indeed very interessting! I'll definitely try it.
> I guess the user will get a https-warning, but I can live with that since
> I
> know the reason is local, home-made.
>
> Thx & Regards
>
>
>
> ------------------------------
>
> Message: 4
> Date: Fri, 17 Jul 2020 19:04:40 -0400
> From: Lee <ler762 at gmail.com>
> To: "U.Mutlu" <um at mutluit.com>
> Cc: privoxy-users at lists.privoxy.org
> Subject: Re: [Privoxy-users] Suppressing/modifying some browser
>         fingerprints (ie. Am I Unique?)
> Message-ID:
>         <
> CAD8GWsu-5zLgjF8y-_xvczw19ihC1P6LY3VzO7AVVwYuKgP17g at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On 7/17/20, U.Mutlu <um at mutluit.com> wrote:
> > Lee wrote on 07/17/2020 05:58 PM:
> >>
> >> So if you're trying to keep your private web browsing private, I'd
> >> suggest using the TOR Browser & leaving it at that.
> >
> > Hi Lee, thx.
> > My IP is my least concern. No, I don't need to hide my IP by using Tor
> etc.
> > I just want to block all ads and all the spying trackers inside the HTML,
> > as well a solution for the said HTML and JS queries about my system
> > that can serve as a unique identifier for all the other sites one visits.
>
> OK, Privoxy can help with that :)
>
> > I'm sure these companies and agencies are commercially exchanging
> > all the data they collect about the system and the person behind it.
> >
> > And: goverment spying its citzens by installing a trojan is becoming
> > more and more a big problem in this f*cking Orwellian #1 EU country :-(
> > I suspect they somehow install it remotely via the normal HTML traffic.
>
> Yes, is possible.  I suspect not probable, but still.. my attempt to
> "raise the bar" is to have DNSSEC enabled (either your own validating
> dns resolver or DOH/DOT to a resolver that has DNSSEC enabled) and
> allowing javascript only from https sites.
>
> > Such web filtering plus firewall filtering could possibly prevent it I
> think
> > & hope.
>
> I have the same hope :)
>
> > Don't get me wrong: I really don't have anything to hide, but I don't
> > want to be a victim of such totalitarian police state methods.
> > IMO, most of the leading western countries nowadays have become a
> > "land of confusion, lies, and oppression"... :-(
>
> Yes, there's much not to like about current circumstances :(
>
> >> Privoxy now has the ability to act as a man-in-the-middle (MITM) and
> >> see all the clear-text traffic coming and going :)  But it's not a
> >> released product yet, so you have to build the latest development
> >> version of privoxy from git -- see
> >>
> https://www.privoxy.org/user-manual/installation.html#INSTALLATION-SOURCE
> >>
> >> You'll also need mbed-tls for the MITM functionality -- I grabbed the
> >> 2.16.7 version:
> >> https://github.com/ARMmbed/mbedtls/releases/tag/mbedtls-2.16.7
> >>
> >> Once you have the ability to do https-inspection it's almost like
> >> you've been time-warped back to 2010 - all the traffic is clear-text,
> >> and you can modify most anything 'on-the fly' :)
> >
> > This is indeed very interessting! I'll definitely try it.
> > I guess the user will get a https-warning, but I can live with that
> since I
> > know the reason is local, home-made.
>
> Actually, no.  You create your own "trusted" CA cert, import it into
> your trusted cert store and you're good to go :)
>
> Regards,
> Lee
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 17 Jul 2020 19:20:15 -0400
> From: Lee <ler762 at gmail.com>
> To: Nicholas Bastin <nick.bastin at gmail.com>
> Cc: privoxy-users at lists.privoxy.org
> Subject: Re: [Privoxy-users] Suppressing/modifying some browser
>         fingerprints (ie. Am I Unique?)
> Message-ID:
>         <CAD8GWsvJBaETTsDBQPZDbZqX-GXvg4VW40h7rh9ckXC=
> PG7Auw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On 7/17/20, Nicholas Bastin <nick.bastin at gmail.com> wrote:
> > On Fri, Jul 17, 2020 at 11:58 AM Lee <ler762 at gmail.com> wrote:
> >
> >> Privoxy used to be amazing, and then most everything web switched to
> >> https.  Which is much better than doing clear-text, but bad in that
> >> privoxy can't do anything with encrypted traffic except pass it along.
> >> So privoxy became pretty the emuch a glorified hosts file.  Until
> >> recently..
> >>
> >
> > You have always been able to put privoxy into a longer pipeline that had
> an
> > SSL bump so that privoxy would always have cleartext headers available to
> > it.  Personally I think this is a much better solution instead of trying
> to
> > build everything into one binary - just assemble your network pipeline as
> > required for your environment, with Privoxy being just a piece of that.
>
> So it looks like the diagram under 'how it works' at
>   http://www.proxfilter.net/proxhttpsproxy/
> right?
>
> I've done "bump in the wire" stuff before and never really liked it.
>
> The big thing I like about doing everything in Privoxy is that I get
> to check the cert in the browser.  Any site where I care about
> security should show up as having a legit cert; the sites where I'm
> doing https inspection show up with a cert from "Billy Bob's Beer,
> Bait and CA Store".
>
> Regards,
> Lee
>
>
> ------------------------------
>
> Message: 6
> Date: Fri, 17 Jul 2020 19:54:17 -0400
> From: Lee <ler762 at gmail.com>
> To: Nicholas Bastin <nick.bastin at gmail.com>
> Cc: privoxy-users at lists.privoxy.org
> Subject: Re: [Privoxy-users] Suppressing/modifying some browser
>         fingerprints (ie. Am I Unique?)
> Message-ID:
>         <CAD8GWssQY=
> 2S3PWOExjTX1qRRr3o+bdTJjQ--DW7ekBvFeP4Hg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On 7/17/20, Nicholas Bastin <nick.bastin at gmail.com> wrote:
> > On Fri, Jul 17, 2020 at 7:20 PM Lee <ler762 at gmail.com> wrote:
> >
> >> So it looks like the diagram under 'how it works' at
> >>   http://www.proxfilter.net/proxhttpsproxy/
> >> right?
> >>
> >> I've done "bump in the wire" stuff before and never really liked it.
> >>
> >> The big thing I like about doing everything in Privoxy is that I get
> >> to check the cert in the browser.  Any site where I care about
> >> security should show up as having a legit cert; the sites where I'm
> >> doing https inspection show up with a cert from "Billy Bob's Beer,
> >> Bait and CA Store".
> >
> > All bumping issues new certificates from your roots, which you of course
> > put in your host certificate store, just like you would doing it inside
> > privoxy. Your egress bump handler should be validating the actual server
> > certificates against your policy (e.g. via an SSL observatory, local hash
> > for monitoring deltas, etc.).
>
> That's a problem right there.. my "policy" has been "wherever the
> software does".  I don't really know how firefox/curl/wget validates
> certs :(
>
> >  The difference with handling it in a
> > pipeline is that you break out the pieces so they can be modified
> > independently, meaning you can shift protocols or cipher suites in your
> > bump handler without privoxy having to know anything about it, and let
> > privoxy do what it does best.
>
> Yes, I see the attraction.  But me being able to see which certs are
> used for what __in the browser__ is much more attractive to me.
>
> hrmm.. altho it's probably more that I'm not all that confident of my
> ability to create and enforce a safe & secure policy for handling TLS
> and certificates, so I'm going for ease of validation..
>
> Regards,
> Lee
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Privoxy-users mailing list
> Privoxy-users at lists.privoxy.org
> https://lists.privoxy.org/mailman/listinfo/privoxy-users
>
>
> ------------------------------
>
> End of Privoxy-users Digest, Vol 41, Issue 5
> ********************************************
>

-- 
Robert Klemme Jr.
President, Klemme Consulting LLC.
RKlemme at Klemmeconsulting.com