[Livehttpheaders] Livehttpheaders: feedback from Anthony Georgeo
notes at mozdev.org
notes at mozdev.org
Tue May 23 19:48:13 EDT 2006
I am requesting a feature for your great "livehttpheaders" which will enable HTTP/S environmental variable header filtering.
HTTP/S headers include information about the systems in use. This is bad in regards to security, privacy, crackers, etc.
There are HTTP proxy programs such as "Privoxy" and "Proximodo" which filter HTTP environmental variable headers. Unfortunitly, none of the existing HTTP header filtering solutions are able to filter HTTPS data due to the nature of HTTPS (eg. SSL) encryption.
As Firefox has access to the verified and decrypted
HTTPS headers FF is in the best position to filter the
decrypted HTTPS headers on-the-fly.
A Firefox extension may be the best option for HTTP/S header filtering as explained in this quote:
"The only way to do this is via extensions to the
browser. That way you do not interfere with CRL/OCSP for true cert verification...And you get SSL for free, because your extensions see the web data AFTER the
browser has performed (optional) rigorous checks to
make sure the cert has not been revoked or otherwise
I requested this feature as an extension at
But, then I found your great extension and I thought
you may be interested in adding this feature to your extension. I thought you may be able to implament this feature faster/better than others due to the nature of your "livehttpheaders" extension.
Here are the HTTP/S Environmental Variable Headers that IMO should be filtered or spoofed:
Should be spoofed to match the home-page of the
server/site the user is actively connected to.
Should be user configurable for OS, encryption strength, language, browser, etc
Should be set to the paramiter "Close"
Should be user configurable, generally to match the language in "User-Agent".
The FF extension should add a HTTP/S header to each
request so only uncompressed transfers are requested.
a.)Should be able to forge "X-Forwarded-for:" headers using random IP addresses from a specified network, to make successive requests from the same client look like requests from a pool of different users sharing the same proxy.
b.) If 'a.)' is not feasable then the next best option is the removal (eg. deletion) of the HTTP/S header "X-Forwarded-for" from client requests and prevent creation of new ones.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20060426 Firefox/22.214.171.124
More information about the Livehttpheaders