I have long said that privacy services are all about trust. I this article demonstrating how to use a simple web proxy to compromise the users of that proxy. Of course, the operator of the proxy is being untrustworthy, but that is the whole point. If you don’t have a reason to specifically trust the operator of your privacy service, you need to assume that they are attempting to do you harm. Of course, the same argument applies to Tor. Literally anyone could be running that proxy for any purpose.
Everything is done via a stock SQUID proxy with small config changes.
The idea is pretty simple:
- [Server] Install Squid on a linux server
- [Cache] Set the caching time of the modified .js files as high as possible