Where’s Attribution?

Below are some examples from the wild, in various contexts, not limited to technology, where attribution tools are applied towards identification obfuscation. 

Telephony

Burner phones

Prepaid phone cards

Online VoIP providers

Call forwarding

Phone Booths

Computer Networking

VPNs

TOR

Web Proxies

IP Proxies

Tunneling Tools

Botnets

Technology Devices

Desktop virtual machine/emulators

Software based mobile phone emulators

The Internet

Anonymous accounts

Online personas

Organizations

Shell pass-through companies

Registered agents

Finance

Bitcoin

Prepaid cards

Money laundering

Government

Aliases

Journalism

Personas (again)

College

Fake IDs

Practicing strong attribution requires up to date tools and techniques, as the field for subverting attribution often evolves at its own equally fervent pace.

Obey the law!

The above linked articles are merely demonstrative of the respective tools being utilized for attributional aims. In sharing, we are not endorsing or advising practices violating any laws.

Why is AT&T [still] Altering My Outgoing Non-SSL HTTP Requests? Should I be Concerned?

Some background

In November of 2014, we did an analysis once news broke about Permacookies, the phenomenon whereby many carriers, including AT&T, Verizon, and Sprint, were altering outgoing non-SSL HTTP traffic and tagging such.

The implications then included the ability for sites to track users in the internet and thus the ability to get information on a user if a site was a partner.

After lots of reporting and mild internet outrage, they ceased this practice.

All HTTP headers aren’t created equal

An added “Via” HTTP header isn’t the same as what they were adding previously.

In the quest to deliver fast content to our network speed challenged devices, it appears AT&T is using some proxies, which is normal, trying to see if content is available on cached servers, and when not, the data is grabbed fresh, but... the proxy via which the request was made tags and forwards the request on to the content server, and thus in this case gives away some identifying information, ... which could be exploited for some sort of tracking.

The destination server could also identify a user as a possible AT&T customer by looking up their IP address in one of many IP Geo-location Services

What is our expectation of our Internet Service Providers (ISP)?

When we use the internet as provided by an ISP, at home or on the go, do we just expect a connection to the internet, or are we OK with the ISP breaking down and thus inspecting our data to try and optimize content delivery?

Who to have issue with?

Initially I was holding the ISP to the flame, not happy to see my traffic tagged. However, I am coming around to faulting the content provider. If all content providers provided their content encrypted, such would not be open for this specific inspection and modification. The content of an HTTPS request is only visible to the destination server and is delivered over and encrypted SSL tunnel.

Back then (we are pretty sure) they weren’t adding this tag

Looking back at our old Permacookie research with AT&T, we did not previously see this in the data.  It could be new, or as caching is subjective and open to other factors, it could have existed previously but we didn’t catch it.

Things to ponder

This is not the same as the Permacookie, but one’s data is still being modified and tagged, even if in this case it is innocuous.

It is something perhaps we take for granted, that when we make requests on the internet, they don’t go straight from device to destination.

In the process of routing and delivery, the various pieces of a seemingly simple web request are in fact a many things/sub-requests (including DNS, page content, page resources, etc) and are inspected and delegated to/by many hands.

Thus, I guess this is a reminder that each party can glean and in some cases alter the traffic as it passes through their gateways.

Other carriers

As of this week, in limited testing, Verizon and Sprint were not adding these headers to this specific request.

How to test for oneself?

Disconnect from WIFI

Go to our header echo page: http://attributionlabs.com/Home/Echo

Connect to WIFI

Go to our header echo page: http://attributionlabs.com/Home/Echo

Compare the headers you see

Some of our data points

Attribution Terminology 101

What follows is a discussion of attribution vocabulary, as a level-setting foundation to support future related dialogue.

Why does attribution matter to me?

If you could see yourself answering yes to any of the following, then you should, and maybe already do, think about attribution:

Does a restaurant Yelp review, or Uber feedback, affect future service you will receive?

Would your scraping of a web site from your own IP address alert the host you are scraping, and thus alter the content they serve you?

Do you desire to freely search Wikipedia while on vacation in China?

Do you want to view BBC online content, but live in the US, and are thus blocked, unless you use a VPN?

Do you want to engage in debate in an online chat forum, but not reveal your Facebook profile, and thus not be overt about who you are?

What is attribution?

The association of some detail, or act, to an entity

What are the core attribution types?

True/True-name attribution

To execute some act as, or associate some detail to, one’s real self, not using any mask

Unabashedly leaving feedback on a restaurant form, providing one’s phone number, email, signature and name

Mis-attribution

Purporting to execute some act as, or associate some detail to, another entity, real or fictitious

Spray paint graffiti on a wall and leave the signature of another artist

Non-attribution

Purporting to execute some act as, or associate some detail to, no entity, or an entity whose attribution is not known, or known to be associated to those seeking anonymity; Sometimes not being discovered as someone means hiding in a crowd, and thus the activity of attribution is often discoverable as such, someone seeking to be hidden, and out-able by tools and techniques of that trade, that a person being transparent about who they are would not employ; Overt anonymity

Making an anonymous comment on web form, by leaving out the name and email fields, by using email address from a anonymous email service, while using a privacy VPN provider

What are some more nuanced attribution types?

False-attribution

Purporting to execute some act as, or associate some detail to, a non-fabricated entity; mis-attribution to non-imaginary entity

In assigning charges to the Underhill account, Fletch was purporting to be part of that party, which he was not

Delayed attribution

Utilization of attribution, with some expiration, so that in-time a layer is peeled back; the layer below could be one’s true identity or yet another layer

One could leave lots of clues, all which are initially attributable to each other as being part of some treasure hunt, and once all the clues are worked out, the creator of the game is revealed

It is important to understand attribution because...

With varying motivations, entities can seek to mislead, or evade, the sensors that decipher attribution

Attribution can be applied in layers to mask identification

Attribution can be found in various contexts (i.e. organizational, financial, computer networks, telephony, technology devices), each having own respective tool-sets (i.e. pass-through LLC, prepaid credit card, VPN, burner phone, software based emulator)

A basis of understanding of different types and applications of attribution will assist readers in consuming the related posts to follow.

Additional Destination Host Proxy Testing

Today TheProxIsRight is launching extended destination host testing, whereby we explicitly test various popular hosts for any active proxies and score them for your consumption.  

Host testing now includes: Amazon, Kayak, Ticketmaster, TripAdvisor, Google, and Craigslist.

The results of this testing are of course provided in all the ways open active proxies are made available (Web, API, daily email, download, SMS, and Phone).

Please give such a go, and let us know what other hosts might be of value.

Cheers.

TheProxIsRight Crew

Code Sample Posted: Get & Use Proxy List

C#.NET sample of consuming dynamically populated / auto-refreshed list of open proxies and using said list to request resources with retries has been posted to GitHub.

https://github.com/AttributionLabs/OpenProxyList

Hope such is helpful to developers of any flavor.

Craigslist Proxies

Today we are launching a new category of proxies, those that are not blocked by the classifieds service Craigslist.

Proxy Detection

If you had tried to use a dirty proxy in the past with Craigslist you might have seen this fail note:

Testing

We now test all our proxies for Craigslist-ability, as can be seen below.

API

Craigslist proxies can be queried from the API:

https://theproxisright.com/api/proxy/get?onlyActive=true&onlySupportsCraigslist=true&minimumUptimePercentage=40&apiKey=YOUR_API_KEY_HERE

Don’t have an API key? Get a free or unlimited one here.

Pro-Tips: Craigslist appears to be savvy with its anti-proxy efforts, thus one might want to explore using anonymous proxies (onlyHighAnonymity=true) if numbers allow. Personally, I also like to use minimumUptimePercentage to secure a more reliable return. See query example above.

Proxy Types

Here are some other proxy types we test for that you can easily access/query.

Road-Map

We will look to add additional tests in the future to possibly include the following: Facebook, Pinterest, TicketMaster, Twitter, Yahoo, Yelp, Youtube. Please drop us a line to weigh-in with requests ([email protected]).

Disclaimer: We recommend you heed the the terms of service of destination servers you engage using proxies. You can read our take on the legality of proxies for more.

Network attribution detection service for outing proxied site visitors

We launched a new utility this week: Open Proxy Insights

Value:

Trusted service one can leverage to know if a site visitor is using an open proxy. Data is backed by actual testing, not 3rd party look-ups.

Usage (in a nutshell):

Include a JavaScript tag in your web page/site

Access a local variable (/subscribe to an event)

Know if a user is from an IP address presently or previously testing positive for being an open proxy.

Provide appropriate alternate workflows or messaging to user. 

Limitations/focus:

We currently have an obsessive focus on open proxies. Thus, with some confidence, if it is an open proxy in circulation, we'll properly flag it (as of this post, we are testing 594K proxies a day).

Road-map (things we could do in the future):

Expand the widget to do more expansive IP Address intelligence beyond simply using TheProxIsRight's vast aggregation and testing platform. It is formidable as-is, but focused. It has value, but probably has more value to a network attribution detection service to use as a trusted feed, than as the only thing a site owner uses to detect potential fraud.

Examine headers for proxy evidence, as we do in our anonymity tests for TheProxIsRight, or do a live evaluation from the browser via AJAX.

We could provide a preliminary finding (as we do now) and then do a live test using common ports to provide an updated score. (Note: We currently use a pub/sub architecture in JavaScript, so a site could just subscribe initially, and then hang around for updates.)

Aggregate (and test?) TOR exit nodes

Aggregate VPN exit nodes from common 3rd parties

Conclusion:

We put something out there. Please try it out. Please let us know if you have suggestions for improvement. Please let us know if there is a fantastic dirty IP Address widget out there we should take notice of.

99% Up-time Proxies

Announcing a new API parameter: Minimum Up-time Percentage

I was developing some software today, when I realized a third-party API I have been legitimately using for years, to this point unaware it had a rate limit I was apparently broaching, was intermittently rejecting requests when it saw consecutive requests of identical parameters.

I hacked coded a good-enough work around that utilized retries w/ the latter retries using proxies. Thus, try a few times, and if indeed there is an issue from my core IP address, then try a few more times from other IPs -- a prototypical "give me some reliable proxies" scenario.

Thus, I added one new parameter (minimumUptimePercentage) to TheProxIsRight's API, and in announcing such, I share the query I used, in eating my own dog food.

In laymans terms:

HTTPS

Low Latency

>= 99% Up-time

Presently Active

Most Recently Tested

Top 10 Meeting Above Criteria

The Query:

https://theproxisright.com/api/proxy/Get?apiKey=YOUR_API_KEY_HERE&onlyHttps=true&minimumUptimePercentage=99&maxResults=10&sortByLatestTest=true&onlyActive=true&onlyHighAvailLowLatency=true

Read the API documentation for more info.

Don't have a free API key yet? Get one here.

(image credit: www.owen.org)

Proxy Availability and the Rising Sun

An article came out roughly a month ago in Popular Science, about how people stop using the internet in some countries in the sleeping hours.

(Photo and original research credit: USC)

At TheProxIsRight, we've observed a possibly related trend: South American proxy availability appears to fluctuate regularly in a 24 hour cycle.

We haven't done a deep dive to investigate, but the hypothesis is that maybe power conservation in the evenings in certain areas is at play?

Anyway, just food for possible later thought consumption.

Follow-up queue: Why then don't we see the same flux in, ex. Africa on the continent-based chart. Perhaps there are just not enough proxies outside of South Africa (or other relatively broadband-heavy regions) to shape the trends for the continent as a whole?

Nerd Tool-Kit: Echo HTTP Header Web Page

This primitive page exists to tell you what HTTP headers your browser or code sends to destination web servers.

http://attributionlabs.com/Home/Echo

Nothing complex to see here, just echoing out what we see coming in. Useful tool for testing (ie what is your user agent, does your mobile carrier include a permacookie, ...)

Examples:

IOS 8.1, iPhone 5, Safari, Do Not Track Enabled

OSX Yosemite, Chrome

An Alternate Approach to Subverting the Permacookie

Purpose:

Mobile Internet Service Providers (ISPs) are violating their customer's privacy by tagging all unencrypted outgoing HTTP traffic one sends through them, which in turn becomes a tracking ID in multiple ways. Mitigation steps exist to combat this, to include use of VPNs to encrypt data from being read or altered by the ISP. However, we sought to explore other non-obvious approaches.

Approach/Hypothesis:

We explored ways to subvert his behavior by attempting to invalidate the data sent along by the ISP, or to halt the sending of such data/headers at all.

Briefly, our respective approaches were to send packets that already had the HTTP header populated with the appropriate name but with alternate values (i.e. adding a random but valid tracking ID to each packet, thus making the traffic inaccurate and unusable), as well as explored ways to get the ISP technologies to stop providing any tracking header at all.

Summary Finding:

Though not an exhaustive effort, in the end, we were unsuccessful to both ends. In the first case ISPs ignored the spoofed headers we provided, and in the latter experiments, we were unable to introduce any additional or altered header that caused the ISP to not include the tracking header. What we learned aided in our understanding of what is in place, and we think the sharing of the approach and knowledge gained could aid the respective public dialog. Thus we have published details of this research.

Background:

Many US mobile carriers are adding a tracking header to all outgoing unencrypted HTTP requests. They have different respective header names, but it is the same pattern and likely use of the same underlying technology.

It has been dubbed "permacookie" as it has a familial behavior to browser cookies. Client browser cookies are HTTP headers managed at the client machine-level and use a particular HTTP name. Permacookies are managed at the mobile ISP level, and have different HTTP header names depending on the cell carrier.

Risk & exposure:

Carriers are modifying all your unencrypted web activity by tagging all unencrypted HTTP requests with a unique custom header. This includes requests made by apps.

As carriers are embedding your unique ID, which can be used to query for demographic, geographic, and behavioral info, to every unencrypted HTTP request, sites can thus identify you immediately, over time, and across properties. Such can be used inclusively for filtering content, and customizing advertisements. (At the moment, less is known publicly on how it is being utilized by sites.)

In the news:

A few year back it was reported that "Routers from Juniper Networks will soon include Feeva's zipcode tracking software, assuming ISPs want it."

Weeks ago it broke that "Verizon Wireless was injecting identifiers that link its users to Web requests" and perverting users' privacy. Later others disclosed that Verizon was not alone.

As of this week, AT&T is claiming to cease use of it, for now, but no word from other carriers.

Are you tracked?

To see such for yourself, visit the sites below, first when on your carrier network, and then later via WIFI. Best approach is to turn off WIFI when executing the carrier test.

Lessonslearned.org's informative page identifies the carrier specific headers (See "Broadcast UID")

Our echo page shows all headers included in any request. If using a cell phone, tablet, or hot-spot for internet, the respective permacookie header will be present if such has been added.

Note: not all towers for the guilty carriers are active, but was for all used in our tests.

Techniques to combat:

Obvious: Encrypt the data so that the carrier router does not have chance to inject HTTP header (Method: SSL sites and VPNs)

Non-obvious: Trick ISP routers by altering requests so they see such as already accurately tagged or not requiring tagging (we discuss such below)

"Obvious" techniques to get around tracking:

Only use SSL sites and resources. Problem with this approach is that not all sites are SSL and even requests inside these sites might not be all SSL.

Use of trusted local anonymous HTTPS proxy. Problems with this approach: hard for lay-users, and who has a trusted local (ie before you hit the internet provider) proxy at their disposal? (Removed after some distance and clarity, as this did not solve the problem, though would allow one to modify outgoing traffic if indeed there was a way to trick the ISP into not tagging via pre-tagging.)

Use of a trusted anonymous HTTPS proxy that strips these headers. Problem with this approach: requires special proxy tuned to remove these headers, and the ISP is still tracking your use, though destination sites would be prevented from seeing such

Use of trusted VPN. This is the best approach as you gain an all ports all protocols tunnel from you to VPN node, while the ISP is in the dark and prevented from seeing/modifying any requests. Problem with this approach: such requires constant connection to a VPN from your mobile device.

Note: proxies are a primitive tool requiring semi-sophisticated technical background, thus not best approach for lay-users. "Non-obvious" approach explained:

We did some light research and development to see if we could attack this from another angle. Specifically, we explored adding fake tracking headers to HTTP requests and seeing if the ISP routers would then not add their own tracking headers, thinking such were already accurately tagged. Following, user X might not be tracked or exposed, and we could poison the well of tracking and exposing users to sites. We also tried modifying and adding other headers (ie DNT) to see if such had any effect.

Unfortunately, we were initially unsuccessful in this hypothesis, as AT&T always added their own HTTP header, even when they saw our fake ones. We could re-open this effort in the future, but... as AT&T has claimed they will stop using the permacookie we decided to temporarily close the case and seek other attribution endeavors.

"Non-obvious" approach deep-dive:

We built a simple echo web page that outputted all headers for an incoming web request

We built a web page that itself made AJAX requests from one's local browser, via HTTP, to the above echo server

On the above page, there were 3 requests: one on page load, one via AJAX unaltered, and one AJAX with variations of AT&T's header added

The goal was to see if AT&T would not add it's own header if it saw an appropriately formed HTTP header already existing

To test, one need run the page above on their mobile device while not on WIFI

As noted above, this approach was unsuccessful in our quest to prevent the ISP router from adding a header attributed to us

We also observed that carriers ignored the Do Not Track (DNT) header when we included such

If we were successful in spoofing the header, we then planned to see if we could get different advertisements served to us, though we would have been required to locate a partner of AT&T that was consuming the header

Last words:

Our quest to subvert carrier unencrypted HTTP request tagging via spoofing was unsuccessful. We seek to contribute to the public dialog by sharing our approach and results. We will update this post if we continue this research in the future.

Don't Login Via Facebook, So Says Your Developer Guardian Angel

Take it from an attribution focused application developer, avoid logging into sites/apps via social media accounts (Facebook, Google+, Twitter, ...) out of convenience, if you value your privacy. Doing so exposes an expansive snapshot of oneself and one's social network. For the majority of circumstances, the cost outweighs the benefit.

What you give up (will vary*):

Your personal information

Your likes

Your friends/social contacts and some amount of their info

Your posts and activity on the network

Site may use your activity feed to promote their app, and expand their user base via your organic reach

Though you can revoke anytime, nothing prevents a site from retaining what was captured

What you have to gain:

Do not have to remember login for this site

Site is customized to your likes and demographic (can be powerful value add user experience, if executed well)

Can revoke site's future access to your info with a click

You definitely may get a more customized user experience, but at what cost? If you do so just to avoid creating another account, and there isn't a great user experience customization the site provides, it might not be worth the convenience.

Third-party app logins are often promoted as "one click and you are in", however, it is more like "one click, and that company now has all your friends' emails, your demographic information, your likes, your posts, possibly the ability to post to your social network to promote their own brand, etc...". 

As an application developer myself, I would love for you to login via Facebook, but as your counsel... don't do it, unless you are aware of and require the associated features/value. Logging in via Facebook, or similar rich social networking app, with the appropriate permissions, provides valuable structured data that amounts to a marketing dossier, which can be leveraged, but also packaged as a commodity (ie you, and your network).

Make the convenience for security trade-off, if you must. Just make such an informed action, when required.

*OAuth2 requests, for example, include the specific scope of the requested access. Here is a visual view of what a developer can request access to from the Google ecosystem https://developers.google.com/oauthplayground/

----

A downside of not logging in via Facebook is that you'll need to manage yet another password. Hopefully you aren't using the same password for all your logins? For that tangential problem, we recommend Roboform, 1Password, or similar password management apps, which allow you to generate random passwords for every site, while securely storing such for you.

----

Update: Facebook has something coming out called Anonymous Login, which, is a remedy to this problem. It is currently in limited Beta, which, as we understand it, means not all apps are currently able to offer it.

Proxy Testing Minutia: Browser User-Agent Filtering Observation

Something we noticed, and felt like sharing before we allowed ourselves to forget:.

Proxies of type HTTPS that block on browser user-agents for HTTP requests, might not block for HTTPS

Example:

The below (23.105.129.122:10487) is an HTTPS proxy that gives the "Go Away." message when used w/ a browser user agent on an HTTP site, but allows the request for some* HTTPS site requests.

The Proxy:

HTTP Site Visit:

HTTPS Site Visit:

Following, in our testing, we'll mark such as "Browser NOT supported" if HTTP fails, and always test w/ HTTP even if the site supports HTTPS. In the future, we could add the nuance note of "filters browser user-agent http" vs "filters browser user-agent https"... which, on further thought, would be crazy, so, ... might just be easier for you to just find a different more usable proxy if Browser Support is not noted as enabled.

*Last Tidbit:

Due to proxies being fickle, and a block box, testing is often only semi-conclusive. Results are often not repeatable, and as such, what we share about a proxy is what we have last seen, though we test quite frequently.

Choosing the Right Proxy for the Job

Today we are announcing updates to our proxy lists that remedy these common proxy pain points:

"Google blocks this proxy"

"This proxy does not work in my browser"

Proxies are fickle beasts, let me count the ways: latency and availability can fluctuate from one request to another, your requests may be logged, you may be exposed to your destination, and so on.

We do extensive testing on proxies at TheProxIsRight and expose to you everything we learn about them. Per the above list, we provide last latency, up-time over last month, type (socks4,socks5, https, http), anonymity, location, etc. But that is all old news.

New News!

We just added two new tests, "Browser User-Agent Filtering" and "Google Access" and are exposing those you via all the ways you consume our proxies lists: download, email, API, and web.

New Tests Explained

"Filtering by User-agent"

Some proxies will evaluate the user-agent of the request and may block or redirect the request if certain criteria is met (often a "Go Away" message of some variety is seen). We determined filtering by web browser user-agents was common enough, and now test proxies for such filtering. (Examples below)

"Blocking by Destination Host"

As Google is a common host that users of proxies hit, it would be valuable to know in advance if a desired proxy is blocked. A common reason for Google to temporarily or permanently block a proxy is that said proxy could abusively query Google, going over whatever rate-limit Google deems normally acceptable.

Summary Testing Insight

If we find a proxy to be active via our normal REST (for HTTP/HTTPS) or SOCKS (4+5) tests, we now test two more times, once with a "browser user-agent" to our known truth destination host, and then one more time with Google as the destination, issuing a query w/ a predictable result. We then expose these as "supports_browser" and "supports_google".

It is not an exact science, as proxies can change their behavior, or just be overloaded or offline when you seek to use them, but these additional properties will help you in determining which proxies best suit your specific needs.

Proxy On Wayne!

Yes, Proxies Are Legal.

Google the legality of proxy use and you might find misleading headlines like those listed below and be concerned about the law's perspective, but fret not, proxies are not illegal.

US court rules proxies, IP switching illegal (bit-tech)

Is using a proxy server still legal? (IT World)

The misleading headline porn that "Proxies are illegal" is a mischaracterization of the central 3taps case as it relates to the Computer Fraud and Abuse Act (CFAA).

What follows is our proxied opinion on the legality of proxies, through insights on the critical case of the issue. (In other words, the author did not want anyone to consider such legal advice.)

The 3taps litigation began in 2012 when Craigslist filed a copyright infringement case against companies that were mining and re-purposing Craigslist postings data.  The Judge threw out the copyright claims because the posts were publicly available and there was nothing special about the lists. What remained of the case were the CFAA claims.  The CFAA is peculiar because the law is incredibly out of date and was written during a time when no one could conceive of the advances in technology that exist today (1986).  The problem with the CFAA is that it has a tasty provision that plaintiffs (and prosecutors) love.  It is “accessing a computer without proper authorization.”  The problem 3taps had was that after Craigslist told them to stop scraping their site, they then did it with proxies and were so bad at it they were found out. The judge likened 3taps’ activities to that of an unruly customer returning to a store after the store owner evicted him previously for bad behavior.  And, so it was with 3taps.  3taps was accessing Craigslist servers “without authorization” because 3taps was told to stop it.  Alas, it wasn’t the proxy that was the problem.  It was the “unauthorized access”.  The real problem is no one knows precisely what “unauthorized” really means.  The federal courts do not agree and the Northern District of California is just not the last word. It will be a long time before a good definition of what the CFAA’s provision means.   -Someone who didn't just stay at a Holiday-Inn Express last night

So, as we interpret such, the tool (in this case a proxy) is not illegal. Though, if used in unlawful acts, then yeah, risk assumed. One could ask, "Is a costume illegal?" Following the above logic, we would say no, but surely one could wear a disguise in order to conceal oneself while breaking the law. As partaking in Halloween revelry is legal, so too can your use of proxies be.

We rest our case.

The Prox Is Right

Proxy Type Nomenclature

This is going to be a simplistic post about how we determine and label a proxy type.  As with all things in this blog, it is with 70% confidence that we post, until later redacted/updated when necessary -- in other words don't believe everything you read on the internet, because we've got a license to blog.

For each proxy in our present database (180K), roughly every five hours, we test all proxies to determine, are they up, do they have high anonymity, and for proxy type. (To clarify, we aren't "pinging" these servers, we are testing them as proxy servers, thus making requests through them.)

For each proxy, for each testing cycle, we execute four type tests:

HTTP

HTTPS

SOCKS4

SOCKS5

Depending on the results of the above tests, the proxy, until the next tested, if proven to be active, gets one of the labels noted below:

The resulting label is one of the five below:

HTTP

HTTPS (supports HTTP and HTTPS)

SOCKS4

SOCKS5

SOCKS4/5 (supports SOCKS4 and SOCKS5)

Take this knowledge with you, and you will kill at your next cocktail party.

Cheers.

TheProxIsRight Crew

P.S. Like charts? We do, see the break down of available proxy types at any time in our Availability Stats dashboard.

Proxy Anonymity Follow-up: Unique Proxy Configurations

This is a follow-up to the previous post we did on scoring proxy anonymity and really was the data that inspired us to talk about scoring.

Of the last pass we did on testing open proxies on the internet, we saw 811 unique proxy anonymity signatures, for those proxies that failed to be what we call high anonymity. Out of ~3000 total active proxies at the time.

Below are the most common signatures - raises some curiosity re: what types of proxy servers are out there and how they are configured: