Post Reply 
Remove/Replace Generic Header Signature Filter
Dec. 17, 2011, 07:05 PM
Post: #1
Remove/Replace Generic Header Signature Filter
hi.
is there a way to remove or replace your browser Generic header signature with some type of filter?

after testing browser leaks at http://ip-check.info/?lang=en

i found out the generic signature of the browser remains the same even
if you have changed your user agent. which is pretty useless since you cant really mask your browser entirely. in other words if im using FF but i cloack the user agent as Safari this hash value will return FF and not safari ......is there a way to block / replace this hash value with proxo ? for example matching it to an "individual" user agent hash value of your choosing instead?

[Image: jre6mw.png]
Add Thank You Quote this message in a reply
Dec. 18, 2011, 11:46 PM (This post was last modified: Dec. 18, 2011 11:50 PM by JJoe.)
Post: #2
RE: Remove/Replace Generic Header Signature Filter
I think that "signature" is created by the site's server from the info that your browser sent, so you cannot remove it.

I don't think the Proxomitron can reorder headers, so you cannot use it to imitate all the user-agents, if any.

You can affect the "signature" by modifying, deleting, and adding headers.

HTH
Add Thank You Quote this message in a reply
Dec. 19, 2011, 12:44 AM
Post: #3
RE: Remove/Replace Generic Header Signature Filter
my limited understanding is that since its a "generic sig" it means the browser throws the value of a hash depending on which browser version you are using. i've tested different versions of firefox and safari and they all return different hash values according to the browser version. using a similar version in different machines will throw the same signature so i think it works like an md5 hash check.

if a site request this "browser hash value" and if im following your last sentence correctly then its possibe to affect this signature by modifying or adding headers, if i could simply modify this hash by adding a few digits that would work great. i hope you can throw some example on how to do this.

thank you so much for those quick responses JJoe.
Add Thank You Quote this message in a reply
Dec. 19, 2011, 03:43 AM (This post was last modified: Dec. 19, 2011 03:44 AM by JJoe.)
Post: #4
RE: Remove/Replace Generic Header Signature Filter
As I understand things,
http://ip-check.info/description.php

JonDonym Wrote:The order and the content of the HTTP headers sent by your browser may be used to identify your browser type and to separate you easier from other web surfers.

The JonDonym server noted the order and content of some of the headers that my browser sent

JonDonym Wrote:The value shown here is a hash over the browser headers that are relevant for this.

and used that info to create a value aka signature. The value shows how such info might be stored.

JonDonym Wrote:Unfortunately, current web browsers do not allow to change the order of the headers sent by them. If you would like to reach the default values of JonDoFox, we therefore suggest you to use the Firefox browser. In the following, you see the recommended default values:

Generic header signature of Firefox
8ab3a24c55ad99f4e3a6e5c03cad9446
host
user-agent
accept
accept-language
accept-encoding
connection

Individual JonDoFox header signature
60b01cb7d790f6ab840104b525a79d6f
host
user-agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0
accept
accept-language: en-us,en;q=0.5
accept-encoding: gzip, deflate
connection

Some headers of requests passing through the JonDonym servers will have a specified order and content.
So to get lost in the JonDonym crowd when you aren't using JonDonym's servers, your browser needs to send as shown under "Individual JonDoFox header signature". Firefox (generic) sends headers in the correct order but you may need to spoof or change the user-agent, accept-language, and accept-encoding headers "to reach the default values of JonDoFox".

(Dec. 19, 2011 12:44 AM)costes Wrote:  it means the browser throws the value of a hash depending on which browser version you are using.

I haven't found it with wireshark.

(Dec. 19, 2011 12:44 AM)costes Wrote:  i've tested different versions of firefox and safari and they all return different hash values according to the browser version. using a similar version in different machines will throw the same signature

That's not unexpected, especially when the machines' operating systems are the same or the Proxomitron is modifying headers. The relevant headers sent to JonDonym's server would change with the browser but maybe not with the machine.

(Dec. 19, 2011 12:44 AM)costes Wrote:  its possibe to affect this signature by modifying or adding headers, if i could simply modify this hash by adding a few digits that would work great. i hope you can throw some example on how to do this.

You can't change the order of the headers. You can change their content. The Proxomitron can modify headers and some browsers allow changes.
But, I think you may be missing the point or I am?

I think JonDonym is trying to tell you to get lost in a crowd. I can only guess that they believe their headers provide the best crowd to hide in.

BTW, don't do anything that would make it worth somebody's time to find you.

HTH
Add Thank You Quote this message in a reply
[-] The following 1 user says Thank You to JJoe for this post:
costes
Dec. 19, 2011, 11:37 AM (This post was last modified: Dec. 19, 2011 11:41 AM by costes.)
Post: #5
RE: Remove/Replace Generic Header Signature Filter
Again thanks for the quick response JJoe.


JJoe Wrote:You can't change the order of the headers. You can change their content. The Proxomitron can modify headers and some browsers allow changes.
But, I think you may be missing the point or I am?

I thought that because proxo intercepts any request that goes through it, it was possible to modify such generic headers.
including the "order of the headers" although im not quite sure what they mean by that.
header A for some value,
header B for another value,
etc...
so if the order of headers goes A,B,C then its X browser
if the order goes B,D,A then its Z browser. ?


JJoe Wrote:BTW, don't do anything that would make it worth somebody's time to find you.

LOL. the idea behind it was to mask any browser to the extreme or completely. "Tor browser" for example has a generic sig as well and it only uses firefox. Most people will use Tor browser. this is important because every single "Tor browser" in a cloud of anonimity throws the same values everywhere, so you get lost in a generic crowd of users where the more users with the same browser will increase your anonimity, hence also the panopticlick EEF project that helps you determine how common your browser is among others for tracking purposes.
https://panopticlick.eff.org
there are no other browsers currently being modified by the Tor developers but they are working close with chrome ppl and others to bring the Tor experience with different flavours (personally i would never use chrome). the reality is that many browsers will work with Tor if you take the time to configure them properly. but because there is a lack of Tor users using any other browser than firefox at the moment then it makes it easier to distinguish those not using FF, hence applications like Proxo will help you disguize your browsing experience when its needed. i was hoping this "generic sig" was one of those values you could configure as well to get an extreme masked browser.

The problem is not using Tor with X browser to surf the web the problem is at the Torexitnodes, those can see, log and potentialy track a user (UA string for this matter) when a site has not implemented ssl to view their pages. much like those clever kissmetric cookies if exitnodes A,F,V are coluded they could correlate browsing habits of a different Browser..
ie :

3k users at exitnode A uses Tor browser but "UA J browser" was here looking L page
1k users at exitnode A uses Firefox but "UA J browser" was here looking h page
2k users at exitnode V uses Firefox or Tor browser but "UA J browser" was here looking xxx pages (haha.)
50 users at exitnode F uses Firefox or Tor browser but "UA J browser" was here loking P pages

if it walks like a duck cuacks like a duck then ......

Thank you for you time in your last reply JJoe.
Add Thank You Quote this message in a reply
Dec. 19, 2011, 03:17 PM
Post: #6
RE: Remove/Replace Generic Header Signature Filter
(Dec. 19, 2011 11:37 AM)costes Wrote:  so if the order of headers goes A,B,C then its X browser
if the order goes B,D,A then its Z browser. ?

Proxo's log window shows 4 different orders for 4 different browsers

Code:
+++GET 317+++
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: www.google.com
Pragma: no-cache
Connection: keep-alive

+++GET 319+++
GET / HTTP/1.1
Host: www.google.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Connection: keep-alive

+++GET 321+++
GET / HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.10.229 Version/11.60
Host: www.google.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Connection: keep-alive

+++GET 323+++
GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cache-Control: max-age=0
Connection: keep-alive

In practice, anonymity is difficult.
Have fun, play nice.
Add Thank You Quote this message in a reply
Dec. 20, 2011, 05:27 AM
Post: #7
RE: Remove/Replace Generic Header Signature Filter
First of all, this must the first time i get several quick responses in a forum JJoe so Thank you.
and thanks also for doing the work to help with this request.


JJoe Wrote:Proxo's log window shows 4 different orders for 4 different browsers

HA!. why didn't i think of that... all i had to do was check that log window using the browsers.
Banging Head . now i have the clear picture. thanks.

JJoe Wrote:In practice, anonymity is difficult.Have fun, play nice.

yes this is quite annoying , glad your input help me caught on it . Thumbs Up
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: