Anonymity of CGI Proxy

The exchange of information in Internet is made by the “client - server” model. A client sends a request (what files he needs) and a server sends a reply (required files). For close cooperation (full understanding) between a client and a server the client sends additional information about itself: a version and a name of an operating system, configuration of a browser (including its name and version) etc. This information can be necessary for the server in order to know which web-page should be given (open) to the client. There are different variants of web-pages for different configurations of browsers. However, as long as web-pages do not usually depend on browsers, it makes sense to hide this information from the web-server.

What information transmits to a web-server (by a browser or proxy server):

• a name and a version of an operating system
• a name and a version of a browser
• configuration of a browser (display resolution, color depth, java / javascript support, etc.)
• IP-address of a client
• Other information

The most important part of such information (and absolutely needless for a web-server) is information about IP-address. Using your IP it is possible to know about you the following:

• a country where you are from
• a city
• your provider’s name and e-mail
• your physical address

Information, transmitted by a client to a server is available (accessible) for a server as environment variables. Every information unit is a value of some variable. If any information unit is not transmitted, then corresponding variable will be empty (its value will be undetermined).

These are some environment variables:

REMOTE_ADDR – IP address of a client
HTTP_VIA – if it is not empty, then a proxy is used. Value is an address (or several addresses) of a proxy server, this variable is added by a proxy server itself if you use one.
HTTP_X_FORWARDED_FOR – if it is not empty, then a proxy is used. Value is a real IP address of a client (your IP), this variable is also added by a proxy server if you use one.
HTTP_ACCEPT_LANGUAGE – what language is used in browser (what language a page should be displayed in).
HTTP_USER_AGENT – so called “a user’s agent”. For most browsers this is Mozilla. Furthermore, browser’s name and version (e.g. MSIE 5.5) and an operating system (e.g. Windows 98) is also mentioned here.
HTTP_HOST – is a web server’s name

This is a small part of environment variables. In fact there are much more of them (DOCUMENT_ROOT, HTTP_ACCEPT_ENCODING, HTTP_CACHE_CONTROL, HTTP_CONNECTION, SERVER_ADDR, SERVER_SOFTWARE, SERVER_PROTOCOL, ...). Their quantity can depend on settings of both a server and a client.

These are examples of variable values:

REMOTE_ADDR = 194.85.1.1
HTTP_ACCEPT_LANGUAGE = ru
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP_HOST = www.webserver.ru
HTTP_VIA = 194.85.1.1 (Squid/2.4.STABLE7)
HTTP_X_FORWARDED_FOR = 194.115.5.5

Anonymity at work in Internet is determined by what environment variables “hide” from a web-server.

If a proxy server is not used, then environment variables look in the following way:

REMOTE_ADDR = your IP
HTTP_VIA = not determined
HTTP_X_FORWARDED_FOR = not determined

According to how environment variables “hided” by proxy servers, there are several types of proxies.

Transparent Proxies

They do not hide information about your IP address:

REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = your IP

The function of such proxy servers is not the improvement of your anonymity in Internet. Their purpose is information cashing, organization of joint access to Internet of several computers, etc.

Anonymous Proxies

All proxy servers, that hide a client’s IP address in any way are called anonymous proxies.

Simple Anonymous Proxies

These proxy servers do not hide a fact that a proxy is used, however they replace your IP with its own:
REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = proxy IP

These proxies are the most widespread among other anonymous proxy servers.

Distorting Proxies

As well as simple anonymous proxy servers these proxies do not hide the fact that a proxy server is used. However a client’s IP address (your IP address) is replaced with another (arbitrary, random) IP:

REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = random IP address

High Anonymity Proxies (Elite proxies)

These proxy servers are called “high anonymity proxy” or "elite proxy". In contrast to other types of anonymity proxy servers they hide a fact of using a proxy:

REMOTE_ADDR = proxy IP
HTTP_VIA = not determined
HTTP_X_FORWARDED_FOR = not determined

That means that values of variables are the same as if proxy is not used, with the exception of one very important thing – proxy IP is used instead of your IP address.

Summary

Depending on purposes there are transparent and anonymity proxies. However, remember, using proxy servers you hide only your IP from a web-server, but other information (about browser configuration) is accessible!

• name and real address of your provider (organization);
• real city, where are you now;
• name, phone and e-mail of your provider (person responsible for work of your local network / IP address);
• (for organizations) name of your organization;
• (for organizations) real address!

As you already know, there are anonymous proxy servers that can be used for surfing the web anonymously. It is also interesting to know, is there a way of tracking down a web-surfer behind an anonymous proxy server.
Yes, there are a number of possibilities not only to detect a visitor using several anonymous proxy servers, but also to detect his real IP even if he is using an anonymous proxy server.

Cookies

At first sight, cookies are not anyhow related to proxy servers. Cookies are used to transfer small portions of information from the web server to the client as an addition to the requested web page. This additional information is stored in the client s browser and is retrieved by the web server. Cookies can be both temporary (for one-time use during a web session; when the session is over, these cookies are deleted) and long-term (for continuous store on the client s machine).
So, why do we need cookies? For example, if the password is requested while checking your e-mail box. After you have entered the password, it is stored in cookies, so each time you browse from page to page, the web server would check the password in the cookies instead of asking for it on every page.

How can a cookie help to detect a proxy? You cannot detect IP with the help of cookies. However, when you first visit a web site, the IP (i.e. your proxy server s IP) is detected by the web server and then stored in the cookies. When you re-visit this site, the web server detects your IP again and checks it with the one stored in the cookies. If the IPs are not the same, the web server can make certain conclusions. And if you don't disable cookies in your browser, no proxy will help you (anonymizers can disable cookies and stop relaying them to your machine).

JavaScript / VBScript

There are special subprograms (scripts) run by the client s browser. Therefore, no matter how hard you try to setup your browser (unless you disable these active scripts), you won't be able to hide your real IP. These scripts are actually classified as simple programs and have very limited number of functions, however they are able to detect your IP as well as many other settings of your browser. These scripts can change your browser settings too!

There is a multilevel protection from these scripts. You can restrict a script from accessing your browser features. However, the best way to protect your browser is completely disabling active scripts. You can disable scripts directly in anonymizers.

Java

Unlike JavaScript, Java is a full-featured programming language. So Java scripts have many additional abilities (particularly, detecting or changing your browser settings). In other words, Java programs can easily detect your IP and partially the settings of your browser.

As far as it goes to protecting your IP from being detected by Java scripts, all is much more complicated: the most secure and probably the only way is to completely disable Java in browser settings, as long as Java has many network functions and it's quite difficult to switch them all off.

ActiveX and plug-ins

ActiveX and plug-ins are various add-ons and modules of your browser. These modules are in fact real proper programs run on the client s machine and therefore they have wider capacities than Java and Javascript. They can easily detect your browser settings and track down your real IP address. What's more, they can even easily change your proxy server s settings!

To secure your browser and IP address, disable ActiveX and plug-ins options in your browser settings.

Armour vs. bombs

The war between those who want to stay anonymous web-surfers and those who want to know all about their clients and visitors will never end. There always will be new ways of hiding your life inside the web, likewise there always will be new technologies to hack or to pass this protection.

You can secure your IP using several methods:

1. Restrictions
   • disable cookies
   • disable active scripts
   • disable Java
   • disable ActiveX
2. Use socksification in your browser. This will enable relaying all the information your browser or any other software sends and transfers to the proxy server.

The first method of protection is very easy to pass: it only takes building a site based on Java/JavaScript/Cookies (for example, dynamic menus, etc.). In this case, if you switch off the active scripts, the site will not work (e.g. if you disable cookies, your access to web mail servers may be denied).

The second method doesn't provide a 100% guarantee that your IP address will be really protected. Here's why. There are two methods to identify your IP:

1. A Java program connects directly to the Internet (without using proxy), even if your browser is set to work via proxy. So the server gets your real IP address from this Java program.
2. Your Windows settings may be scanned for your real IP address.

So, socksification can guard you from the first method of IP tracing, but it's totally useless when dealing with the second method.

What you need to do if you wish to stay anonymous with enabled Java/JavaScript/ActiveX:

What's the core of this task and what do you need to do in order to make it work?

1. hide real external IP address in Windows settings
2. disable direct connection to the Internet (route it only via an anonymous proxy server)

There are two options to solve this problem:

1. You need to set up LAN, local IP addresses (192.168.1.x or alike). A corporate proxy server should forwards ALL requests to a free anonymous proxy server (you need to have skills and rights of a system administrator in order to do that). It's impossible to connect to the Internet bypassing a corporate proxy, as long as external IP address is not assigned to local machines. It's also impossible to scan local machine's settings: even if Java/ActiveX applets detects and gives out your local IP address (192.168.1.x) to the web server, your anonymity will remain unbroken. So, basically, you can rate this option as 100% anonymity.
2. Install Firewall on your machine and restrict all the connections to the Internet (except for the anonymous proxy server) from a browser. It's also recommended to use port mapping for this free anonymous proxy server and define the browser's proxy as 127.0.0.1 with the local port from port mapping. However, this option can be insecure, because your real external IP address can be transferred to the server (the script will scan the Windows settings and detect your real IP).

And finally: any proxy server, especially a free proxy, keeps logs (reports) with detailed information on every IP sending requests to it as well as on the time of requests. So, any person or organization authorized to access this information can always find out what places in the web you have visited and what you did there, even if you use a chaining of 10 anonymous proxy servers located in different parts of the world.

Proxy chaining is merely connecting to more than one proxy and then to your intended destination. You can use as many proxy servers as you can or want. The more you have, the more anonymous you will be.

By using proxy chaining you will work by this way:

your computer => proxy1 => proxy2 => ... => proxy X => web-site

When you use proxy chaining software, in fact you create one "virtual proxy". And when you want to use chain proxy1 => proxy2 => ... => proxy X you need to use address of created "virtual proxy". This address you will know when you set up your chain of proxies.

Resume: proxy chain is way of using several (2,3, 10, etc.) proxy servers similar as one proxy server.

Remember: it doesn't matter how many proxies you chain together, you will never be 100% anonymous

Proxy chaining for HTTP proxies

For create proxy chaining you need use special software and proxy with SSL (Secure Sockets Layer) support.

To get HTTP proxy with SSL tunneling support you can use my program Proxy Checker. Just set "Connect to" field in "Options" to any https:// address and test proxies.

Proxy chaining for SOCKS proxies

For create proxy chaining you need use special software that can use SOCKS proxies.

Software to create proxy chain
for HTTP or SOCKS proxy

For example you can use program SocksChain. This program can use SOCKS (version 4 or 5) or HTTP (with SSL support) proxies to create virtual channel through proxies chain. Read SocksChain FAQ for information how to use program to create proxy chaining.
Read here about this and other software to work with proxy.

Proxy chaining for CGI proxies (anonymizers)

It's very easy. Just go to the first anonymizer's page and type URL of second anonymizer in the "URL" field. After this click "Go" or similar button.
This way you can create proxy chaining any length! And you can set up your browser to use HTTP proxy (for example, corporate proxy) with CGI proxies!

You can create these chains of misc proxy types:

Like this:

HTTPS proxy >> CGI proxy >> CGI proxy ...
or
SOCKS proxy >> HTTPS proxy >> CGI proxy
or
HTTPS proxy >> SOCKS proxy >> CGI proxy

You CAN NOT create these chains:

CGI proxy >> HTTP proxy
or
CGI proxy >> SOCKS proxy

What are advantages of e-mail via proxy ?

There are some :

1. increase of anonymity of mail sending / reception of mail
2. If an organization uses a corporate proxy and the Internet access is possible only through it then using an external-mail without proxy is impossible.

There are some variants of access to mail and for the each one its own way to use proxy servers.

Web mail

Web mail - is a mailbox with web interface. An example for such mail are Hotmail, Mail, Yahoo! Mail etc. It is enough to have access in Internet and a browser to use such mailboxes. In this case both getting and sending mail will be anonymous if you adjust your browser's proxy settings.

Web interface for POP3 servers

To get or send mail via POP3 / SMTP servers you can use the web interface. The web interface is a gateway which gives you access to POP3 to a server through your browser.
In this case for anonymous mail check/sending will be enough to set a proxy server in your browser.

Remailer - anonymous mail sending

You can also use remailer for anonymous mail sending . Remailer is mostly like the web mail. However there are also essential differences:

• you can specify any e-mail as a return mail
• remailer completely hides your IP address
• you cannot receive mail using remailer. only to send !

Since working with remailer you use a browser, it also possible to use an anonymous proxy server to connect to the remailer (double anonymity : anonymous proxy + remailer ).

Readdressing of letters - anonymous mail reception

If you want to hide your IP address from a mail server during reception of mail, it not a problem. There is a function of "mail gathering" in many free mail systems. So if you specify one mailbox to collect mail from the others mail servers, it will connect to the mail the specified servers and download letters. And you can get these letters from it later.

POP3 / SMTP mail

It's a bit more complicated to use mailing programs because they are not able to work through proxy.

There are 2 ways to decide this problem:

1. Socksification of mailing programs (+tunneling through HTTP proxy if possible).
2. Port mapping through proxy + adjustment of mailing programs.

You need set up HTTPort for use with e-mail client (Outlook, Messenger, Pegasus, The BAT!, etc.). You should have an account on an external mail server, which provides POP3/SMTP services.
Example: I use account on yahoo.com. I will explain the setup with Yahoo account. Yahoo provides POP3 / SMTP services by means of two servers: pop.mail.yahoo.com:110 and smtp.mail.yahoo.com:25 respectively.
Create two HTTPort mappings. These should mirror local ports 9110 and 9025 (or any other ports you like), to remote ports pop.mail.yahoo.com:110 and smtp.mail.yahoo.com:25. Set up your mail client to use server 127.0.0.1:9110 as a POP3 server, and 127.0.0.1:9025 as an SMTP server. This should work.

Depending on what exactly you want to do with FTP and on the type of proxy server you might have different problems during work with FTP through proxy. Bu, first of all we would like to inform you: any type of work with FTP through proxy server can be done only if you connect to FTP server in passive mode!

Work with FTP through SOCKS proxy

Download files from FTP through SOCKS proxy

It is very easy to do it. If you use any type of download manager which supports work over SOCKS proxy, you will be able to download files over FTP through SOCKS without any problems (you only should set up the work with FTP in passive mode).

The file management on FTP through SOCKS proxy

Once again, without any problems. Since SOCKS proxy supports any TCP/IP packets, then you can manage files on FTP server: upload to server, delete, replace, change attributies and anything else.

Work with FTP over FTP proxy

FTP proxy is specially intended for the work over FTP protochol, so you can easily use it in the same way as SOCKS proxy - you will don't have any problems in working with FTP server through FTP proxy, if you certainly use passive mode.

Work with FTP through HTTP proxy

This is the most frequent situation, which causes much more problems. Let us examine its in details.

download files from FTP through HTTP proxy

This operation is being acomplished without any problems principly, but only if your HTTP proxy supports FTP protocol. It is easy to check the support of this protocol by proxy server: just open any ftp:// URL through a proxy. If the site opens, then problem is solved: you can download files from FTP using this proxy server. But if the contents of FTP server are not opening , it means that your HTTP proxy does not support FTP.

You have only one way - use gateways to the access to FTP server. These gateways can be CGI proxies (see below how to use its) or WebFTP clients, which allows working with files on FTP server through HTTP protocol. You can find WebFTP client in Internet or on our "Anonymizers" section.

The file management on FTP through HTTP proxy

You can manage files over FTP (upload files on FTP server, delete/create files and folders, etc.) without any problems only if your HTTP proxy supports HTTPS protocol (HTTP+SSL). In this case you can make port mapping to FTP server using the program like Socks Connector, or use programs that can redirect your TCP/IP traffic through HTTPS proxy server (for example Socks2HTTP, SocksChain, SocksCap). All these programs are presented in the "Programs" section.
If your HTTP proxy doesn't support HTTPS, you have only one way - use WebFTP clients. You can find WebFTP client in Internet or on our " Anonymizers" section.

If the program itself cannot use a proxy server, it can "be learned" to do this. To do this you'll need some additional programs depending on the type of proxy.

Setting the program for SOCKS proxy

You need to use program socksification. SocksCap will socksificate any program i.e. redirect all requests to the socks proxy.

Setting the program for HTTPS proxy

To make a program work with a proxy server proxy it's necessary for the proxy server to support HTTPS protocol. Install a local SOCKS proxy server and redirect all requests to it on HTTP proxy. For socksification you need to use SocksCap, for tunneling SOCKS requests through HTTPS proxy server - use program Socks2HTTP.

Why do we need it ?

There are many reasons why you may need the tunneling of SOCKS requests through HTTP protochol. The most of them are:

• the program doesn't use HTTP proxy, only SOCKS;
• the program can't use proxy and hasn't internet settings - socksification is required , but SOCKS proxy is missing (socksification and socks tunneling through http is required);
• the corporative proxy (that uses in organisation) doesn't support SOCKS protochol (only http).

The essence of tunneling

Earlier HTTP proxy was passed only by web pages and pictures, and it was possible to download files over them. SOCKS proxy (in difference from http proxy) works not only with http, but also with any TCP/IP protocol. And here are extra ways of data exchange presented in new specifications of HTTP protochol. For example new method called "CONNECT" which can pass not only web pages and files through http proxy , but also any type of data. New proxy which support this specification of HTTP protochol are called HTTPS proxy ( CONNECT proxy).
They practically does not yield SOCKS proxy servers in their features (they can be formed up in chain in difference from "usual" http proxy). And the idea to make them interconnected was presented: if earlier only SOCKS proxy could "emulate" http proxy , then now the opposite situation is possible: SOCKS emulation by means of http (tunneling SOCKS requests through http proxy).

The adwantages of tunneling

1. SOCKS proxy unnecessary (or practically unnecessary);
2. you can emulate SOCKS proxy using http proxy if it is missing for some reason.

The disadwantages of tunneling

1. You can't increase the anonymity: if proxy is transparent, web-server "will see" your real IP adresss even if you use proxy chaining.
2. Not all http proxies support this method of work - they should correspond to specifications of HTTP 1.1 (to support the CONNECT method) for this.

The software necessary

You can't tunnel SOCKS request through HTTP proxy by using standard ways (programs). You should use special programs that allow SOCKS requests tunneling

You can execute SOCKS - requests tunneling through HTTP proxy using different programs. First of all it is Socks2HTTP. Also, you can execute this tunneling using such programs as HTTP-Tunnel , HTTPort , SocksChain , Socks Connector.

Since SOCKS protocol allows any TCP/IP connections (including POP3 & SMTP), you can easily use SOCKS proxy for working with programs, which can't use proxy servers.You should use program for socksification (socksificator) for using of SOCKS proxy. For example, SocksCap

Why you need to use socksification?

• to "make" the program use proxy server, if it can't do it;
• to "teach" the program to use SOCKS proxy (if the program can use only HTTP proxy).

How to socksify programs?

To socksify the program by using SocksCap , you need to do the following:

Install the program and setup it:

1. Push the button "New...".
2. In the presented window "New Application Profile" click "Browse..." and select the necessary program ( for example Outlook Express )
   Prompt: You need to specify the program filename - to find it's location, look into the properities of your program icon.
3. In the menu "File" select the point "Setup..." and enter the name and the port (usually 1080) of your socks proxy.
4. Specify the type of your proxy server (Socks 4 / Socks 5), and also (if it necessary) the login and the password.
5. Click "OK".
6. Now, to launch the program with using SOCKS proxy, double click on its name in the menu of the program SocksCap (from the program, not from the browser!)
7. It should work.

Several moments of the socksification

Not all programs can be socksified. You can socksify all the TCP/IP protocol and UDP (by using SOCKS 5 proxy). So, it is impossible to socksificate the following:

• ping , trcert - they use ICMP protocol. By the way it is impossible to let them come through proxy;
• active FTP protocol. There are passive FTP and active FTP. Passive FTP intends one connection by TCP/IP client with server. Active - two connections (for data exchange and commands exchange). That is why it is possible to socksificate (and "proxate") only passive FTP (it is supported by all the browsers).

Also, some programs can't be socksified - its can use special methods to "bypass" socksificators. You can try use diiferent programs for socksification for socksify these programs.

The IE 5 (and higher) Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the hostname or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft.com, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.

1. Create a standard netscape proxy auto config (PAC) file.
2. Store the resultant file in the document root directory of a your web server as wpad.dat (Not proxy.pac as you may have previously done). You should be able to use an HTTP redirect if you want to store the wpad.dat file somewhere else. You can probably even redirect wpad.dat to proxy.pac:
   Redirect /wpad.dat http://other.server.com/proxy.pac
3. Be sure than if you do nothing more, a url like http://www.your.domain.name/wpad.dat should bring up the script text in your browser window.
4. Insert the following entry into your web server mime.types file. Maybe in addition to your pac file type, if you've done this before.
   application/x-ns-proxy-autoconfig ??? dat
   And then restart your web server, for new mime type to work.
   (you can try to skip this step)
5. Create/install/implement a DNS record so that wpad.your.domain.name resolves to the host above where you have a functioning auto config script running.
   Also you can use Hosts file at your computer for creating mapping:
   wpad.your.domain.name <IP-address your web-server>
6. Assuming Internet Explorer 5, under "Tools", "Internet Options", "Connections", "Settings" or "LAN Settings", set ONLY "Use Automatic Configuration Script" to be the URL for where your new wpad.dat file can be found. i.e. http://wpad.your.domain.name/wpad.dat
   Test that that all works as per your script and network. There's no point continuing until this works...
7. And finally, go back to the setup screen detailed in step 6 above, and choose nothing except the "Automatically Detect Settings" option, turning everything else off. Best to restart IE5, as you normally do with any Microsoft product... And it should all work.

Ordinarily, when you configure Web browsers to surf through a proxy server , you directly enter the IP address of the proxy server into each browser's "manual proxy configuration" window. If you later want to change the proxy's IP address, you have to manually re-configure each browser - a tedious task at best. A Proxy Auto Config file tells the browser to load its proxy configuration information from a remote JavaScript file, rather than from static information you enter directly.

In this file you can specify which proxies you can use and for every URL you can specify different proxy.

How to use PAC files?

Additional information about PAC files you can get here:
http://developer.netscape.com/docs/manuals/proxy/adminux/autoconf.htm

Format of Proxy Auto-Config files

Detailed desription of PAC files format see here:
http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html