Re: (none) [httpd finding your identity]
-----BEGIN PGP SIGNED MESSAGE----- To: Rich Graves <llurch@networking.stanford.edu> Cc: cypherpunks@toad.com Subject: Re: (none) [httpd finding your identity] At 11:28 96-01-12 -0800, you wrote:
On Fri, 12 Jan 1996, sameer wrote:
control what information is passed out to the other end. Specifically, I'd like http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl to come up nearly blank.)
We do not send the HTTP 'From:' header. I will look into where they are getting the user name and location from. There is really nothing I can do in the Navigator to stop them from getting your IP address or DNS name.
I beleive that it uses finger. If you really want to prevent people from finding out where you're coming from, use the anonymizer. Not at CMU? Don't worry.
On most UNIX machines or a Mac or PC running most common talk clients? Worry. Not just finger, but also identd will identify you. I think Eudora Pro has an identd option, too.
-rich
On Win 3.1 using Netscape 1.22, you can improve your 'lack of output' by removing in the PREFERENCES menu: Your Name: Your Email: Your Organization: The bad side is that you cannot mail from Netscape without filling the Email entry with a valid Email address and putting an anonymous address (ex.:an123456@anon.penet.fi) would cause http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl to report your REAL hostname with your anonymous username (ex.:an123456@myhost.com) so if privacy is a must and you cannot use the anonymizer, this could reduce your output to your computer type and operating system and your browser and version number. For my part, after removing my Email, it was all that was left (-: ( It will stay that way... ) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPhL8l0tVeSYE8qJAQFN9AQAgXcbJzhqbExyvVA+5VZXojCuUGxJsH0e qhmSmn9I6vInIzfJNoUi1I5tdwVqOFaheFTh6XPYjVIRnCNx4g0u3z2Mjx8V2B0a O66XsFFX3tgCHizIVFkXJ1rzOXRDXCBb4joo+500MOWi77GgfHBMd1F3IBTcS2i6 8QZshD4gF0U= =9rLo -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Eric Francoeur | "One of the things Adolf Hitler E-Mail: doclulu@infobahnos.com | and Bill Clinton have in common http://www.infobahnos.com/~doclulu | is that both were democratically PGP Public key available at website | democratically elected leaders." | -Dr. Dimitri Vuli 1995.
The snoop program is using FTP to find out the user's e-mail address. The image on the page is an ftp: URL. Our FTP code was sending the user's e-mail address as the password for anonymous FTP, which is the usually requested by FTP sites. The perl script was waiting for the FTP to happen, and then looking at its log to figure out the email address. I've removed the code that uses the e-mail address as the FTP password for anonymous FTPs. You can still enter it by hand by using a URL of this form 'ftp://anonymous@ftp.netscape.com'. This will cause the navigator to prompt the user for the password to send for anonymous. This is a little known feature that will also allow users to access non-anonymous ftp accounts via netscape. The fix for this will be in the next beta, and the final version of 2.0. --Jeff doclulu@infobahnos.com wrote:
To: Rich Graves <llurch@networking.stanford.edu> Cc: cypherpunks@toad.com Subject: Re: (none) [httpd finding your identity]
At 11:28 96-01-12 -0800, you wrote:
On Fri, 12 Jan 1996, sameer wrote:
control what information is passed out to the other end. Specifically, I'd like http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl to come up nearly blank.)
We do not send the HTTP 'From:' header. I will look into where they are getting the user name and location from. There is really nothing I can do in the Navigator to stop them from getting your IP address or DNS name.
I beleive that it uses finger. If you really want to prevent people from finding out where you're coming from, use the anonymizer. Not at CMU? Don't worry.
On most UNIX machines or a Mac or PC running most common talk clients? Worry. Not just finger, but also identd will identify you. I think Eudora Pro has an identd option, too.
-rich
On Win 3.1 using Netscape 1.22, you can improve your 'lack of output' by removing in the PREFERENCES menu: Your Name: Your Email: Your Organization: The bad side is that you cannot mail from Netscape without filling the Email entry with a valid Email address and putting an anonymous address (ex.:an123456@anon.penet.fi) would cause http://anonymizer.cs.cmu.edu:8080/prog/snoop.pl to report your REAL hostname with your anonymous username (ex.:an123456@myhost.com) so if privacy is a must and you cannot use the anonymizer, this could reduce your output to your computer type and operating system and your browser and version number. For my part, after removing my Email, it was all that was left (-: ( It will stay that way... )
-- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
Jeff Weinstein writes:
The snoop program is using FTP to find out the user's e-mail address. The image on the page is an ftp: URL. Our FTP code was sending the user's e-mail address as the password for anonymous FTP, which is the usually requested by FTP sites. The perl script was waiting for the FTP to happen, and then looking at its log to figure out the email address.
I've removed the code that uses the e-mail address as the FTP password for anonymous FTPs. You can still enter it by hand by using a URL of this form 'ftp://anonymous@ftp.netscape.com'. This will cause the navigator to prompt the user for the password to send for anonymous. This is a little known feature that will also allow users to access non-anonymous ftp accounts via netscape.
Or you can use 'ftp://anonymous:password@ftp.netscape.com/', and skip the prompt. Not really less secure (assuming you can prevent shoulder surfers) as FTP sends the password in the clear, anyway.
-----BEGIN PGP SIGNED MESSAGE-----
I've removed the code that uses the e-mail address as the FTP password for anonymous FTPs.
Does that mean that general-purpose ftp won't be accepted unless the user gives up their email? Greaaaaaaat... Can't have it both ways, I guess. What can be added as far as user control; inline vs non-inline, for example. The FTP explanation certainly explains why my personal system is able to confuse the username part of it. And I know there's nothing anyone can do about the reverse-ip, but what about http referral field? Will there be a way to turn off (blank, actually) this field? Jeff, your efforts are certainly appreciated - your ability to get these things done is most valuable. Regarding the anonymizer: First, are there any working anonymizers yet? Second, is there any ISP that would be willing to give a home to the anonymizer? Don - -- <don@cs.byu.edu> fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://students.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Junk mail to root@127.0.0.1 * This user insured by the Smith, Wesson, & Zimmermann insurance company * -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMPneFsLa+QKZS485AQFq6gMAqAfHurwzZe9KTvmfWsg40iGubTHjlB2m okvm6aHMjfOGRdHcSwD3sfSuuZ2suWS875qFDV06ITgbrWXJK3sb7lO9WPnU+0Of 8NFmEDZQNbQ8cqcio/NiT6PURp3NBc1+ =xQVe -----END PGP SIGNATURE-----
Jamie Zawinski writes: [...]
Very, very early betas of Netscape (around 0.6 or so, I think) did give away whatever the previous page was, and I think old versions of Mosaic did so as well. Netscape still had this bug in late 0.9x beta versions (that you still got plenty of url encoded passwords early last year) Lynx had it at least up to 2.3.7, etc...
dl -- Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|... Freedom Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept
Jeff Weinstein wrote:
can do about the reverse-ip, but what about http referral field? Will there be a way to turn off (blank, actually) this field?
I would like to add a way to turn it off, but it won't happen in 2.0.
Something that a lot of people don't realize is that the HTTP referrer field is only sent when you've actually clicked on a link -- it does not just give away the last page you happened to be looking at, it only gives away pages that actually refer to the one you're going to. So if you're concerned about leaving a trail to a particular page, you can go there by pasting the URL into the Location field, or via a bookmark (menu item, not page), etc. Very, very early betas of Netscape (around 0.6 or so, I think) did give away whatever the previous page was, and I think old versions of Mosaic did so as well. -- Jamie Zawinski jwz@netscape.com http://www.netscape.com/people/jwz/ ``A signature isn't a return address, it is the ASCII equivalent of a black velvet clown painting; it's a rectangle of carets surrounding a quote from a literary giant of weeniedom like Heinlein or Dr. Who.'' -- Chris Maeda
Don wrote:
-----BEGIN PGP SIGNED MESSAGE-----
I've removed the code that uses the e-mail address as the FTP password for anonymous FTPs.
Does that mean that general-purpose ftp won't be accepted unless the user gives up their email? Greaaaaaaat... Can't have it both ways, I guess. What can be added as far as user control; inline vs non-inline, for example.
I'm not sure I understand what you are saying, so I will try to re-state what we are doing. By default for anonymous FTP we will send the string "mozilla@" for the anon password. This is similar to Mosaic and Internet Explorer, which send "webuser@". If the user wants to send their real address, or anything else, they can type an ftp URL that will allow them to enter the password. I hope to add an option so that the user can decide for themselves to send or not send their identity. Note that we do not currently send the HTTP 'From:' header. Some users would like an option to turn it on.
The FTP explanation certainly explains why my personal system is able to confuse the username part of it. And I know there's nothing anyone can do about the reverse-ip, but what about http referral field? Will there be a way to turn off (blank, actually) this field?
I would like to add a way to turn it off, but it won't happen in 2.0.
Jeff, your efforts are certainly appreciated - your ability to get these things done is most valuable.
Thanks. I just wish I had been able to attend yesterdays cypherpunk gathering rather than having to fix this bug. Sigh.
Regarding the anonymizer: First, are there any working anonymizers yet? Second, is there any ISP that would be willing to give a home to the anonymizer?
I think that there are several. The one at CMU can be reached at http://anonymizer.cs.cmu.edu:8080/open.html. I thought that Sameer had one at c2.org, but a quick look at his web site didn't turn up anything. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
I think that there are several. The one at CMU can be reached at http://anonymizer.cs.cmu.edu:8080/open.html. I thought that Sameer had one at c2.org, but a quick look at his web site didn't turn up anything.
c2.org will be hosting the anonymizer shortly. We can't exactly run it off of our T1 though, so we have to wait a little while until we get T3 access. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer@c2.org
participants (7)
-
doclulu@infobahnos.com -
Don -
Jamie Zawinski -
Jeff Weinstein -
Laurent Demailly -
sameer -
Scott Brickner