284874 - header gives to much information

Status: RESOLVED INVALID

(SeaMonkey :: General, defect)

Description

[Gordon Nilsen]

User-Agent:       Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.8a5) Gecko/20041124
Build Identifier: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.8a5) Gecko/20041124

security problem.

Reproducible: Always

Steps to Reproduce:
1.www.grc.com
2.test browser header
3.It reports the internal address and fully qualified hostname and version
number of my squid server.



Expected Results:  
If you click on the secure button at grc.com it dosen't show it.

Comment 1

[Hermann Schwab]

(In reply to comment #0)
> User-Agent:       Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.8a5) Gecko/20041124
> Build Identifier: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.8a5) Gecko/20041124
> 
> security problem.
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1.www.grc.com
> 2.test browser header
> 3.It reports the internal address and fully qualified hostname and version
> number of my squid server.
> 
> 
> 
> Expected Results:  
> If you click on the secure button at grc.com it dosen't show it.

Steps to reproduce:
1. www.grc.com
2. scroll down & click on 'Shields up'
3. scroll down & click on 'Shields up'
Youll see three text boxes on the next page
https://www.grc.com/x/ne.dll?bh0bkyd2

The second gives your IP address and a reverse lookup to show you your complete
address including your provider.
Info in this box is not related to Mozilla!

Mozilla sends requests to Squid, and gets data from squid.
Squid connects to the internet, squid adds its own headers.
An IP address must be sent to grc, otherwise data sent from grc can´t reach you.
Your IP address is something like your street adress or your phone number.
The only difference: If you are on dialin, you get a new IP address each time
you dialin. It´s like getting a different room each time you checkin into a hotel.

Paste your IP into the whois search field top right at http://arin.net/ to see
which data are available about you and your provider

on the next page http://www.grc.com/x/ne.dll?rh1dkyd2 I can click 'Browser
Headers, and see, what Mozilla is sending:

Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Host: www.grc.com
Referer: http://www.grc.com/x/ne.dll?rh1dkyd2
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050303
Content-Length: 31
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Secure: https://www.grc.com
Nonsecure: http://www.grc.com
MediaPort: 8092

Part of that data is technically required, accept field tells which files are
understood by your browser, accept languages list the languages you want to see
in sequence of importance, so if I put french in first position and english in
second position a server will sent me a file in french, if available, otherwise
in english.
Referer is the part related to your privacy, it tells where you are coming from.
So if you click on a link on a porn site, the page you are going to knows where
you are coming from.
If you click on a link on a banking site, the application you are going to knows
you are coming from the banking site, not from somewhere else.
A referrer isn´t sent when you are using bookmarks from your browser.
If your bookmarks file is on a webserver, maybe referrers are sent.

I´m resolving this bug as invalid, as you will see the same using other browsers
using squid. You will see a similar header like mine, if you don´t use a proxy.

Comment 2

[Mats Palmgren (inactive)]

You can tell Mozilla not to send info on where you came from (a.k.a referer):
http://ilias.ca/mozilla/browserfaq/#sendReferer