[fw-wiz] HTTP Proxy stripping actions

I wrote an article about using an http proxy to strip cookies.

Many behavior tracking companies have gone to great lengths to satisfy "legal" criteria so they are no longer called spyware/adware. Generally, the laws say "if you don't collect personally identifying information, you're not spyware." I think this is an overly simplistic definition that mollifies consumers but does little to satisfy security admins.

Anyway, I did a impromptu analysis of 3rd party cookies that pass the "it's not spyware" criteria. I looked at cookie caches of a half-dozen PCs in my office, and came up with a list of about 24 ad-serving cookies by simply visiting the web sites of cookie domains with strings like "ad", "click", and "hit". I read the privacy policy at each site, and decided that 20 of the 24 collected information I was not willing to share.

I added proxyStrip actions to my firewall proxy (with wildcarding on domains e.g., *hitbox.com, *valueclick.com).

It's absolutely amazing how many cookies I'm stripping; in fact, if I watch the realtime monitor, it's actually quite funny. FWIW, stripping the cookies doesn't appear to interfere with anyone's "web experience":-)

To confirm the proxy actions worked as I intended, I tweeked the proxy event logging up a bit so I was also able to see the HTTP proxy strip extraneous response headers like these (each line below is from a separate http response header):

Ad-Reach: Burst!Media\x0d\x0a
X-Generator: kornfeld6\x0d\x0a
X-Message: XRE response from Origin Server \x0d\x0a
X-Cache: HIT from qe45.friendfinderinc.com\x0d\x0a
X-Cache: MISS from oz.valueclick.com\x0d\x0a
X-Host: p1w12.geo.scd.yahoo.com\x0d\x0a
X-INKT-URI: http://www.carrielynnesworld.com//index.html\x0d\x0a
XRE response from IC \x0d\x0a
X-N: S\x0d\x0a
O_CREATIVE_ID: 220521\x0d\x0a
X-AspNet-Version: 1.1.4322\x0d\x0a
CM: 1.7\x0d\x0a
X-TR: 2\x0d\x0a
X-Pingback: http://blogs.securiteam.com/xmlrpc.php\x0d\x0a

BTW, the HTTP proxy I use by default strips all non-standard response headers and none of these are defined on pages like


During my search thus far, I can't find 90% of the response header types I'm blocking.

I do know that 99% of the pages work just fine without them:-)

I'm posting to the list because (a) Marcus told me to and (b) I wonder if anyone knows where I might find information about these http response headers?

fn:David Piscitello
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature