HTTP Proxy stripping actions

[Dave Piscitello <dave () corecom com>]

I wrote an article about using an http proxy to strip cookies.

Many behavior tracking companies have gone to great lengths to satisfy 
"legal" criteria so they are no longer called spyware/adware. 
Generally, the laws say "if you don't collect personally identifying 
information, you're not spyware." I think this is an overly simplistic 
definition that mollifies consumers but does little to satisfy security 
admins.

Anyway, I did a impromptu analysis of 3rd party cookies that pass the 
"it's not spyware" criteria. I looked at cookie caches of a half-dozen 
PCs in my office, and came up with a list of about 24 ad-serving cookies 
by simply visiting the web sites of cookie domains with strings like 
"ad", "click", and "hit". I read the privacy policy at each site, and 
decided that 20 of the 24 collected information I was not willing to share.

I added proxyStrip actions to my firewall proxy (with wildcarding on 
domains e.g., *hitbox.com, *valueclick.com).

It's absolutely amazing how many cookies I'm stripping; in fact, if I 
watch the realtime monitor, it's actually quite funny. FWIW, stripping 
the cookies doesn't appear to interfere with anyone's "web experience":-)

To confirm the proxy actions worked as I intended, I tweeked the proxy 
event logging up a bit so I was also able to see the HTTP proxy strip 
extraneous response headers like these (each line below is from a 
separate http response header):


Ad-Reach: Burst!Media\x0d\x0a
X-Generator: kornfeld6\x0d\x0a
X-Message: XRE response from Origin Server \x0d\x0a
X-Cache: HIT from qe45.friendfinderinc.com\x0d\x0a
X-Cache: MISS from oz.valueclick.com\x0d\x0a
X-Host: p1w12.geo.scd.yahoo.com\x0d\x0a
X-INKT-URI: http://www.carrielynnesworld.com//index.html\x0d\x0a
XRE response from IC \x0d\x0a
X-N: S\x0d\x0a
O_CREATIVE_ID: 220521\x0d\x0a
X-AspNet-Version: 1.1.4322\x0d\x0a
CM: 1.7\x0d\x0a
X-TR: 2\x0d\x0a
X-Pingback: http://blogs.securiteam.com/xmlrpc.php\x0d\x0a

BTW, the HTTP proxy I use by default strips all non-standard response 
headers and none of these are defined on pages like

http://msdn.microsoft.com/workshop/author/dhtml/reference/constants/response_headers.asp


During my search thus far, I can't find 90% of the response header types 
I'm blocking.

I do know that 99% of the pages work just fine without them:-)

I'm posting to the list because (a) Marcus told me to and (b) I wonder 
if anyone knows where I might find information about these http response 
headers?

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature