[Livehttpheaders] Feature Request: "HTTP/S Header Filtering"

Anothony Georgeo anogeorgeo at yahoo.com
Tue May 23 12:41:09 EDT 2006


Hello,

I am requesting a feature for your great
"livehttpheaders" which will enable HTTP/S
environmental variable header filtering.

HTTP/S headers include information about the systems
in use. This is bad in regards to security, privacy,
crackers, etc.

There are HTTP proxy programs such as Privoxy 
http://www.privoxy.org/ and Proximodo 
http://proximodo.sourceforge.net/ which filter HTTP
environmental variable headers. Unfortunitly, none of 
the existing HTTP header filtering solutions are able 
to filter HTTPS data due to the nature of HTTPS (eg. 
SSL) encryption.

Recent discussions about the feasability of 
'on-the-fly' HTTPS 'decryption > filtering of
decrypted HTTPS Headers > encryption' has lead to the
suggestion 
of a Firefox extension.

As Firefox has access to the verified and decrypted 
HTTPS headers FF is in the best position to filter the

decrypted HTTPS headers on-the-fly.

A Firefox extension may be the best option for 
on-the-fly HTTP/S header filtering as explained in
this
 quote:
<http://archives.seul.org/or/talk/May-2006/msg00346.html>

"The only way to do this is via extensions to the 
browser. That way you do not interfere with CRL/OCSP
for true cert verification...And you get SSL for free,
because your extensions see the web data AFTER the 
browser has performed (optional) rigorous checks to 
make sure the cert has not been revoked or otherwise 
compromised/spoofed." 

I requested this as an extension at 
<http://forums.mozillazine.org/viewtopic.php?t=419360>

But, then I found your great extension and I thought 
you may be interested.  I also thought you may be able

to implament this faster/better than others due to the

nature of your "livehttpheaders" extension.


Here are the HTTP/S Environmental Variable Headers
that IMO should be filtered or spoofed:

'Referrer' =
Should be spoofed to match the home-page of the 
server/site the user is actively connected to.

'User-Agent' =
Should be user configurable for OS, encryption
strength, language, browser, etc
<http://en.wikipedia.org/wiki/User_agent>

'Proxy-Connection' =
Should be set to the paramiter "Close"

'Accept-Language' =
Should be user configurable, generally to match the
language in "User-Agent".

'Prevent-Compression' =
The FF extension should add a HTTP/S header to each 
request so only uncompressed transfers are requested.

'X-Forwarded-for' =
a.)Should be able to forge "X-Forwarded-for:" headers
using random IP addresses from a specified network, to
make successive requests from the same client look
like requests from a pool of different users sharing
the same proxy.
b.) If 'a.)' is not feasable then the next best option
is the removal (eg. deletion) of the HTTP/S header
"X-Forwarded-for" from client requests and prevent
creation of new ones.



Thank you,


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the Livehttpheaders mailing list