From Newsgroup: alt.privacy

It's not easy finding a free no-registration Windows proxifier, but I've
been testing these two recently and they work to proxify almost any app.
<https://freecap.apponic.com/>
<https://freecap.apponic.com/download/>
Name: apponic_freecap_setup_eng.exe
Size: 1644848 bytes (1606 KiB)
SHA256: C3D4929AB5A5867A6BE9914FF94DEFEFED6762748EDB1E351C86EBC5A02D46EC

<https://freecap.software.informer.com/3.0/>
<https://freecap.software.informer.com/download/>
Name: informer_freecap_setup_eng.exe
Size: 1644848 bytes (1606 KiB)
SHA256: C3D4929AB5A5867A6BE9914FF94DEFEFED6762748EDB1E351C86EBC5A02D46EC

<https://sourceforge.net/projects/sockscap64/>
<https://netactuate.dl.sourceforge.net/project/sockscap64/SocksCap64-setup-3.6.exe>
Name: SocksCap64-setup-3.6.exe
Size: 6193115 bytes (6047 KiB)
SHA256: B2DA49EC9A2702CFD7625D3F152AF98A4C8E3E155DAB78686962BB3DF1F76825

I used FreeCap for a few weeks until I switched over to the slightly more modern & functional SocksCap64 tool to proxify apps w/o proxy capabilities.

In general, you'll need a proxy first, which Psiphon3 does for you:
<https://psiphon.ca/>
<https://psiphon.ca/en/download-store.html?psiphonca>
Name: psiphon3.exe
Size: 10402576 bytes (10158 KiB)
SHA256: DB1BAF76F0333F4743919A86F35037559F9E7DA7DF14982DFC16FB8DC0BE6BE2

Install location C:\apps\network\proxy\{psiphon,sockscap,freecap}\
Software archives C:\software\network\proxy\{psiphon,sockscap,freecap}\
Pullout menu C:\menus\network\proxy\{psiphon,sockscap,freecap}\

While we're at it, the following script helps both to report and to
sync Psiphon settings inside of Windows for apps that have proxy GUIs.
==< cut here for proxy.bat >==
@echo off
REM proxy.bat 20250820 v1.2
REM Use model: "Win+R > proxy" (proxy import if WinHTTP is unset)
REM Unified Windows proxy diagnostic tool with WinHTTP sync safeguard
REM "Win+R > proxy /sync imports WinINET proxy directly into WinHTTP
REM Reports: WinINET manual proxy, WinHTTP proxy, PAC/AutoDetect
REM HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\proxy.exe
REM Default=C:\sys\batch\proxy.bat
REM That App Paths key creates the convenient "Win+R > proxy" command
REM
setlocal

:: --- Quick /sync mode ---
if /i "%~1"=="/sync" (
echo Syncing WinINET proxy into WinHTTP...
netsh winhttp import proxy source=ie
echo Done.
pause
exit /b
)

set KEY="HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

echo ==============================================
echo WINDOWS PROXY CONFIGURATION SET/CHECK/FIX
echo ==============================================

REM --- WinINET (manual proxy) ---
echo.
echo [1] WinINET / Internet Settings
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyEnable 2^>nul') do set ProxyEnable=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyServer 2^>nul') do set ProxyServer=%%B
if "%ProxyEnable%"=="0x1" (
echo Proxy is ENABLED
echo Proxy server: %ProxyServer%
) else (
echo Proxy is DISABLED
)

REM --- WinHTTP proxy ---
echo.
echo [2] WinHTTP proxy (system/background services)

REM Get current WinHTTP proxy setting
for /f "tokens=1,* delims=:" %%A in ('netsh winhttp show proxy ^| findstr /R /C:"Proxy Server(s)"') do set curWinHTTP=%%B

REM Trim leading/trailing spaces
set curWinHTTP=%curWinHTTP:~1%

if "%curWinHTTP%"=="" (
echo No WinHTTP proxy set - importing from WinINET...
netsh winhttp import proxy source=ie >nul 2>&1
) else (
echo WinHTTP proxy already set - leaving as is.
)

REM Show current WinHTTP proxy after check/import
netsh winhttp show proxy

REM --- PAC (Proxy Auto-Config) & AutoDetect ---
echo.
echo [3] PAC / AutoDetect
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoConfigURL 2^>nul') do set PACurl=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoDetect 2^>nul') do set AutoDetect=%%B

if defined PACurl (
echo PAC script set: %PACurl%
) else (
echo No PAC script URL found.
)

if "%AutoDetect%"=="0x1" (
echo Auto-detect is ENABLED
) else (
echo Auto-detect is DISABLED
)

echo.
echo ==============================================
echo Windows proxy set/check/fix complete.
echo ==============================================

endlocal
pause

==< cut here for proxy.bat >==
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.privacy

On Sun, 24 Aug 2025 09:48:33 +0100, Jim the Geordie wrote :

On 24/8/2025 2:28 am, D wrote:

best browser extension ever invented by man . . .

Firefox 142.0
Tools > Extensions and Themes [Ctrl+Shift+A]

Switched to it from Adblock for many years... couldn't quite remember
why. Something to do with Firefox changing its add-on mechanism.

Adblock started allowing certain ads through:

"Starting with version 2.0, Adblock Plus started allowing "acceptable
ads" by default,[72] with acceptable ad standards being set by The
Acceptable Ads Committee.[73] They charge large institutions fees to
become whitelisted and marked as "acceptable", stating "[Adblock Plus]
only charge large entities a license fee so that we can offer the same
whitelisting services to everyone and maintain our resources to develop
the best software for our users." on their about page.[74]"

From https://en.wikipedia.org/wiki/Adblock_Plus

uBlock Origin doesn't play that game.

If you use Brave Browser, no adblocking add-on is needed.

My two cents... bearing in mind I never used extensions until early July
when Epic Privacy Browser went bust... I'm building two sets of DIY privacy browsers where I've settled (currently) on almost a score of extensions
(not counting VPN extensions) which are the following currently for the Chromium side of the family (given it was easier than the Mozilla side).

Browser: Brave and/or Ungoogled Chromium (LibreFox and/or MullVad)
1. Canvas Blocker - Fingerprint Protect : version 0_2_2
2. ClearURLs : version 1_26_0
3. Cookie AutoDelete : version 3_8_2
4. CthulhuJs (Anti-Fingerprint) : version 8_0_6
5. Decentraleyes : version 3_0_0
6. Extension Manager : version 9_5_2
7. Font Fingerprint Defender : version 0_1_6
8. LocalCDN : version 2_6_79
9. Location Guard (V3) : version 3_0_0
10. Privacy Badger : version 2025_5_30
11. Referer Control : version 1_35
12. Skip Redirect : version 2_3_6
13. StayInTab : version 1_0
14. Trace - Online Tracking Protection : version 3_0_6
15. uBlock Origin : version 1_65_0
16. User-Agent Switcher and Manager : version 0_6_4
17. WebRTC Control : version 0_3_3
18. NoScript is useful, but I find it a PITA so it's disabled for now.

The question came up from Mr. Man-wai Chang about Adblock Plus.

While there will always be overlap when you have a score of extensions,
a. uBlock Origin is more efficient (apparently)
b. It's said to be more powerful in supporting advanced rule creation
c. It's said to support dynamic & cosmetic filtering
c. Critically, it doesn't have an "acceptable ads" program
d. And it's often considered more actively maintained

Since there is a large amount of overlap, I left AdBlock Plus out of the
mix of privacy extensions that I'm testing for the DIY privacy browser(s).

But I could be wrong as I must state openly I never touched extensions
until being forced to give up on my daily driver privacy browser in July.

Side Note: The VPN extension test covering a score of supposedly free, ad
free, registration free VPN extensions is still a work in progress
covering, so far, the following successful & failed VPN extensions:

These passed initial testing criteria (free, account free, ad free):
1. browsec
2. hoxx
3. securefreeedgevpn
4. setupvpn
5. vpnly
6. xvpn
7. 1clickvpn
8. 1vpn

These failed initial testing criteria (free, account free, ad free):
a. hiddenbatvpn
b. hidemevpn
c. hotspotshieldvpn
d. itopvpn
e. protonvpn
f. tunnelbearvpn
g. urbanvpn
h. windscribevpn

Correction: I correct an earlier assessment that all the VPN extensions
"slow down" drastically within days; I think some of that is due to the plethora of privacy-based extensions - so I switched the testing over to testing instead the free,adfree,registrationfree system-wide VPNs with a free-adfree-regfree socks5 proxy (Psiphon) and, for non-browser
applications, a free-adfree-regfree proxifier such as ProxyCAp64/FreeCap.

Note I found out the hard way that Mozilla browsers handle proxies very differently than do Chromium browsers, which themselves handle proxies differently than most programs do where Windows has three layers of proxies that I had to write scripts (e.g., proxy.bat which morphed yesterday to proxy.cmd due to Windows quirks) to synchronize manually the three proxy mechanisms what Windows should have synchronized automatically. Sigh.

Note also that there are too many free/regfree/adfree system-wide
openvpn.exe free public VPN servers out there to list (many thousands!) so
it will take a while before I test them all sufficiently to declare which
free system-wide VPN server set is the easiest & fastest as all require additional software (e.g., softether or openvpn.exe) and scripts (due to changing passwords mostly).

Lastly, I wasted days testing proxy servers, of which there are so many thousands out there that you'd go nuts trying them all, but they're all apparently abysmal in terms of reliability compared to the acceptable reliability of the free public no-registration openVPN services that I'm currently testing. After days of a miserable existence testing them,
writing script after script after script to deal with their ephemeral
nature, I gave up concluding that you'd have to have TLA-like resources to
keep up with the few proxy services which stay alive long enough to be
useful.

Apologies for the long-winded response but that's the status of my testing
in a nutshell, in the fewest words that still convey accurate assessment.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.privacy

On Sun, 24 Aug 2025 14:55:27 -0000 (UTC), Marion wrote :

Apologies for the long-winded response but that's the status of my testing
in a nutshell, in the fewest words that still convey accurate assessment.

UPDATE:

<https://psiphon.ca/>
<https://psiphon.ca/en/download-store.html?psiphonca>
Name: psiphon3.exe
Size: 10402576 bytes (10158 KiB)
SHA256: DB1BAF76F0333F4743919A86F35037559F9E7DA7DF14982DFC16FB8DC0BE6BE2

Install location C:\apps\network\proxy\{psiphon,sockscap,freecap}\
Software archives C:\software\network\proxy\{psiphon,sockscap,freecap}\
Pullout menu C:\menus\network\proxy\{psiphon,sockscap,freecap}\

Once you run psiphon3 free socks proxy, you start thinking of all the ways Windows sucks at proxies, and then you try to fix each of those ways.

Sigh.

Below is what took me all day today to build a modular proxy control system that handles all three Windows proxy layers: WinINET, WinHTTP, and PAC/AutoDetect. It launches Psiphon, waits for proxy ports to initialize,
and then runs pac.cmd to sync everything.

Because they hate encryption, the PAC file bypasses Gmail, Amazon, &
Copilot domains, while routing all other traffic through Psiphon's SOCKS
proxy.

These scripts support diagnostic modes, silent execution, & full reset functionality. Since I love the Windows "App Paths" registry key, I've also optionally integrated App Paths for seamless Win+R launching, and included clear usage instructions, versioning, and logging.

It might not be perfect, but I designed it to be portable, maintainable, & extensible. I'm sure there is more to do, but I'm done for today. ================================================================
Step 1: Launch Psiphon
Step 2: Wait for proxy ports to initialize
Step 3: It will then run pac.cmd to sync WinHTTP & apply PAC
Optionally run proxy.cmd for diagnostics & configuration ================================================================
To run "proxy.cmd" using the Windows taskbar-pinned "Win+R" RunBox:
Runbox > pac
Which calls the named App Paths key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pac.exe
Default=C:\data\sys\apppath\link\pac.lnk

Rightclick C:\data\sys\apppath\link\pac.lnk > Properties
TARGET=C:\Windows\System32\cmd.exe /c "C:\data\sys\batch\pac.cmd" ================================================================
To run "pac.cmd" using the Windows taskbar-pinned "Win+R" RunBox:
Runbox > pac
Which calls the named App Paths key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pac.exe
Default=C:\data\sys\apppath\link\pac.lnk

Rightclick C:\data\sys\apppath\link\pac.lnk > Properties
TARGET=C:\Windows\System32\cmd.exe /c "C:\data\sys\batch\pac.cmd" ================================================================
psiphon3.lnk
TARGET=C:\data\sys\batch\psiphon-launch.cmd

Win+R > gvim C:\data\sys\batch\psiphon-launch.cmd

@echo off
REM psiphon-launch.cmd v1.1 iX 20250901
REM Launch psiphon3.exe freeware & apply 3-way proxy sync/PAC
REM C:\data\sys\batch\psiphon-launch.cmd
REM Step 1: Launch Psiphon (which only syncs 1 of 3 Windows proxy types)
REM Step 2: Wait for proxy ports to initialize
REM Step 3: Run PAC setup (sync + PAC logic)
REM Note there are 3 different Windows proxy types. Sigh.
REM Type 1: WinINET iX used by IE, Edge (legacy), MS Office & most apps
REM Type 2: WinHTTP iX used by system services like Windows Update
REM Type 3: PAC/AutoDetect iX used by browsers like Chrome, Edge, & Firefox
REM (but Mozilla browsers have to be set first to respect system proxies).

if not exist "C:\app\network\psiphon\psiphon3.exe" (
echo ERROR: Psiphon executable not found.
exit /b
)

start "" "C:\app\network\psiphon\psiphon3.exe"

REM Wait a few seconds for Psiphon to initialize
timeout /t 5 /nobreak >nul

if not exist "C:\data\sys\batch\pac.cmd" (
echo ERROR: pac.cmd not found.
exit /b
)

REM Run PAC setup silently
start "" "C:\data\sys\batch\pac.cmd" /silent

================================================================
Win+R > gvim C:\data\sys\batch\proxy.pac

/* proxy.pac v1.0 iX 20250901
Bypasses proxy for:
- *.google.com, *.gmail.com, *.amazon.com
- *.copilot.microsoft.com
All other traffic routed through SOCKS proxy at 127.0.0.1:1080
*/

function FindProxyForURL(url, host) {
// Bypass Gmail and Google services
if (shExpMatch(host, "*.google.com") ||
shExpMatch(host, "*.gmail.com") ||
shExpMatch(host, "mail.google.com")) {
return "DIRECT";
}

// Bypass Amazon
if (shExpMatch(host, "*.amazon.com") ||
shExpMatch(host, "amazon.com")) {
return "DIRECT";
}

// Bypass Microsoft Copilot-related domains
if (shExpMatch(host, "*.copilot.microsoft.com") ||
shExpMatch(host, "*.bing.com") ||
shExpMatch(host, "*.microsoft.com")) {
return "DIRECT";
}

// Everything else goes through Psiphon SOCKS proxy
return "SOCKS 127.0.0.1:1080";
}

================================================================
Win+R > gvim C:\data\sys\batch\pac.cmd

@echo off
REM pac.cmd v1.5 iX 20250901
REM Sync WinHTTP proxy & apply PAC logic for selective domain bypass
REM Used after Psiphon starts to align all three Windows proxy layers
REM ---------------------------------------------------------------
REM Step 1: Sync WinINET proxy into WinHTTP (used by system services)
REM Step 2: Apply PAC script & enable Auto-Detect (used by browsers)
REM ---------------------------------------------------------------
REM Usage:
REM pac Sync WinHTTP & apply PAC
REM pac /silent Suppress final pause
REM pac /status Show current proxy settings
REM pac /test Run diagnostics only
REM pac /nopac Disable PAC & Auto-Detect
REM pac /help Show usage instructions
REM ---------------------------------------------------------------

REM --- /help flag: show usage instructions ---
if /i "%~1"=="/help" (
echo Usage:
echo pac Sync WinHTTP & apply PAC
echo pac /silent Suppress final pause
echo pac /status Show current proxy settings
echo pac /test Run diagnostics only
echo pac /nopac Disable PAC & Auto-Detect
echo pac /help Show usage instructions
exit /b
)

REM --- Log start ---
echo [%DATE% %TIME%] Running pac.cmd >> C:\data\sys\logs\proxy.log

REM --- Check for proxy.cmd ---
if not exist "C:\data\sys\batch\proxy.cmd" (
echo ERROR: proxy.cmd not found.
exit /b
)

REM --- /status: show proxy diagnostics only ---
if /i "%~1"=="/status" (
start "" "C:\data\sys\batch\proxy.cmd" /silent /status
exit
)

REM --- /test: alias for /status ---
if /i "%~1"=="/test" (
echo Running proxy diagnostics only...
start "" "C:\data\sys\batch\proxy.cmd" /silent /status
exit
)

REM --- /nopac: disable PAC & Auto-Detect ---
if /i "%~1"=="/nopac" (
echo Disabling PAC & Auto-Detect...
start "" "C:\data\sys\batch\proxy.cmd" /silent /nopac
exit
)

REM --- Step 1: Sync WinINET into WinHTTP ---
echo Running proxy sync...
powershell -Command "Start-Process -FilePath 'cmd.exe' -ArgumentList '/c \"C:\data\sys\batch\proxy.cmd\" /sync' -NoNewWindow -Wait"

REM --- Step 2: Apply PAC logic ---
echo Applying PAC logic...
powershell -Command "Start-Process -FilePath 'cmd.exe' -ArgumentList '/c \"C:\data\sys\batch\proxy.cmd\" http://127.0.0.1/proxy.pac' -NoNewWindow
-Wait"

REM --- PAC summary for user ---
echo PAC logic: Bypassing proxy for Gmail, Amazon, & Copilot domains.
echo All other traffic routed through SOCKS proxy at 127.0.0.1:1080

REM --- Final pause unless /silent ---
if /i "%~1"=="/silent" (
exit
)

echo.
echo Press Enter to close...
pause >nul
exit


================================================================
Win+R > gvim C:\data\sys\batch\proxy.cmd

@echo off
REM proxy.cmd v1.8 iX 20250901
REM Unified Windows proxy diagnostic + configuration tool
REM Supports: WinINET proxy, WinHTTP proxy, PAC/AutoDetect
REM ---------------------------------------------------------------
REM Usage:
REM Win+R > proxy Run normally
REM Win+R > proxy /help Show usage instructions
REM Win+R > proxy /sync Sync WinINET proxy into WinHTTP
REM Win+R > proxy http://url.pac Set PAC URL
REM Win+R > proxy /nopac Disable PAC & Auto-Detect
REM Win+R > proxy /status Check status only
REM Win+R > proxy /reset Clear all proxy settings
REM Win+R > proxy /silent Suppress final pause
REM Win+R > proxy /silent /sync Combine flags
REM ---------------------------------------------------------------
REM Proxy Types:
REM Type 1: WinINET iX used by IE, Edge (legacy), MS Office & most apps
REM Type 2: WinHTTP iX used by system services like Windows Update
REM Type 3: PAC/AutoDetect iX used by Chrome, Edge, & optionally Firefox
REM Firefox must be set to "Use system proxy settings" to honor PAC
REM ---------------------------------------------------------------

REM --- /help flag: show usage instructions ---
if /i "%~1"=="/help" (
echo Usage:
echo proxy Run normally
echo proxy /sync Sync WinINET proxy into WinHTTP
echo proxy http://... Set PAC URL
echo proxy /nopac Disable PAC & Auto-Detect
echo proxy /status Show current proxy settings
echo proxy /reset Clear all proxy settings
echo proxy /silent ... Suppress final pause
exit /b
)

REM --- Log command to proxy.log ---
set LOG=C:\data\sys\logs\proxy.log
echo [%DATE% %TIME%] %cmdcmdline% >> %LOG%

REM --- Begin scoped environment ---
setlocal

set KEY="HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

REM --- Detect /silent flag & shift argument list ---
if /i "%~1"=="/silent" (
set SILENT=1
shift
)

REM --- /reset: clear all proxy settings ---
if /i "%~1"=="/reset" (
echo Resetting all proxy settings...
reg delete %KEY% /v ProxyEnable /f >nul 2>&1
reg delete %KEY% /v ProxyServer /f >nul 2>&1
reg delete %KEY% /v AutoConfigURL /f >nul 2>&1
reg add %KEY% /v AutoDetect /t REG_DWORD /d 0 /f >nul
netsh winhttp reset proxy >nul 2>&1
echo All proxy settings cleared.
goto SHOWCONFIG
)

REM --- /status: show current proxy configuration ---
if /i "%~1"=="/status" (
echo Displaying current proxy configuration...
goto SHOWCONFIG
)

REM --- /sync: copy WinINET proxy into WinHTTP ---
if /i "%~1"=="/sync" (
echo Syncing WinINET proxy into WinHTTP...
netsh winhttp import proxy source=ie
echo Done.
goto SHOWCONFIG
)

REM --- /nopac: disable PAC & Auto-Detect ---
if /i "%~1"=="/nopac" (
echo Disabling PAC & Auto-Detect...
reg delete %KEY% /v AutoConfigURL /f >nul 2>&1
reg add %KEY% /v AutoDetect /t REG_DWORD /d 0 /f >nul
echo PAC & Auto-Detect disabled.
goto SHOWCONFIG
)

REM --- Set PAC URL if provided ---
if not "%~1"=="" (
echo Setting PAC script URL: %~1
reg add %KEY% /v AutoConfigURL /t REG_SZ /d %~1 /f >nul
reg add %KEY% /v AutoDetect /t REG_DWORD /d 1 /f >nul
)

REM --- Diagnostic output block ---
:SHOWCONFIG
echo ==============================================
echo WINDOWS PROXY CONFIGURATION SET/CHECK/FIX
echo ==============================================

REM --- WinINET proxy status ---
echo.
echo [1] WinINET / Internet Settings
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyEnable 2^>nul')
do set ProxyEnable=%%B
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v ProxyServer 2^>nul')
do set ProxyServer=%%B
if "%ProxyEnable%"=="0x1" (
echo Proxy is ENABLED
echo Proxy server: %ProxyServer%
) else (
echo Proxy is DISABLED
)

REM --- WinHTTP proxy status ---
echo.
echo [2] WinHTTP proxy (system/background services)
for /f "tokens=1,* delims=:" %%A in ('netsh winhttp show proxy ^| findstr
/R /C:"Proxy Server(s)"') do set curWinHTTP=%%B
set curWinHTTP=%curWinHTTP:~1%
if "%curWinHTTP%"=="" (
echo No WinHTTP proxy set iX importing from WinINET...
netsh winhttp import proxy source=ie >nul 2>&1
) else (
echo WinHTTP proxy already set iX leaving as is.
)
netsh winhttp show proxy

REM --- PAC / AutoDetect status ---
echo.
echo [3] PAC / AutoDetect
for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoConfigURL

nul') do set PACurl=%%B

for /f "tokens=2,* skip=2" %%A in ('reg query %KEY% /v AutoDetect 2^>nul')
do set AutoDetect=%%B
if defined PACurl (
echo PAC script set: %PACurl%
) else (
echo No PAC script URL found.
)

REM --- PAC logic summary if using proxy.pac ---
if /i "%PACurl%"=="http://127.0.0.1/proxy.pac" (
echo PAC logic: Bypassing proxy for Gmail, Amazon, & Copilot domains.
echo All other traffic routed through SOCKS proxy at 127.0.0.1:1080
)

if "%AutoDetect%"=="0x1" (
echo Auto-detect is ENABLED
) else (
echo Auto-detect is DISABLED
)

echo.
echo ==============================================
echo Windows proxy set/check/fix complete.
echo ==============================================

endlocal

REM --- Final pause unless /silent ---
if not defined SILENT (
echo.
echo Press Enter to close...
pause >nul
)
exit

================================================================
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.privacy

R.Wieser wrote:

I've got no idea what program/DLL/other you are
talking about - and as such no idea why you call it a proxy.

For all to benefit, since I'm wired to be helpful as well as to learn,
my first experience with the Windows proxy mechanism was in the olden days
when we had to proxify tor (well before the tor browser bundle existed).

Before Firefox and before the Tor Browser Bundle, using Tor was like
assembling IKEA furniture without instructions. You had to run Tor
separately, then manually configure each app to use it as a SOCKS proxy. It worked for some people, but I always had problems with the socks proxy.

Since those days (probably around 2001 or so) I haven't touched proxies.
Until the Epic Privacy Browser died that is, about a month or so ago.

So I built my own DIY privacy browser, which is pretty much finished.
But then I wanted to add a proxy on top of the VPN on top of the VPN.

It's slow. But it works. All using freeware that anyone can use too.
No registration necessary (as I don't use tools that need an account).

The free proxy I'm using for Windows is Psiphon <https://psiphon.ca/>
C:\software\network\proxy\psiphon\psiphon3.exe
Name: psiphon3.exe
Size: 10402576 bytes (10158 KiB)
SHA256: DB1BAF76F0333F4743919A86F35037559F9E7DA7DF14982DFC16FB8DC0BE6BE2

A proxy is an intermediary server that routes your internet traffic.

That is, instead of connecting directly to a site, your request goes
through the proxy which forwards it on your behalf for the purpose of
a. Hiding your IP address
b. Bypassing censorship
c. Adding an additional layer of anonymity (e.g., to a VPN setup)

There are different types of proxies, but mainly I seem to see only two:
A. HTTP proxies - for web traffic only
B. SOCKS proxies - which are more flexible so they're used by Tor

Windows uses 3 proxy configuration methods to accommodate different environments, user needs & network policies. These mechanisms are:
1. Automatic Detection (WPAD)
2. Automatic Configuration Script (PAC file)
3. Manual Proxy Setup

Windows checks these settings in a layered way, for example,
1. If Auto Detect is enabled, Windows tries WPAD first.
2. If a PAC file is specified, Windows uses that next.
3. If Manual settings are entered, they override the others

Frustratingly though, each method is completely different. Sigh.
1. Automatic Detection uses WPAD to find proxy settings via DHCP or DNS
2. PAC File (Auto Script) loads a JavaScript-based file for routing logic
3. Manual Configuration sets the proxy server address & port

The script I supplied checks proxy mechanisms in the reverse order:
3. WinINET (Manual Proxy Setup)
2. WinHTTP (System Proxy) Automatic Configuration Script (PAC file)
1. PAC / Auto-Detect (Automatic Detection + PAC File) (WPAD)
The script checks them, and then sets them if they're not set.

Specifically
3. WinINET is checked first via registry keys
'ProxyEnable' and 'ProxyServer'.
2. WinHTTP is checked next using 'netsh winhttp show proxy'
1. PAC / AutoDetect is checked last via registry values for
'AutoConfigURL' and 'AutoDetect'

This order makes sense for diagnostics:
- WinINET is user-level and most commonly used.
- WinHTTP is system-level and often inherits from WinINET.
- PAC/AutoDetect is more dynamic and optional, so it's checked last.

Note the '/sync' flag explicitly copies WinINET settings into WinHTTP, reinforcing that WinINET is the primary source and WinHTTP is secondary.

In summary, the question is simply why do 3 completely different proxy mechanisms exist in Windows. I'm hoping to find someone who knows why.

If nobody knows more than I do, then at least everyone can learn from my
recent experience using Psiphon freeware with Microsoft Windows browsers.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.privacy

R.Wieser wrote:

That is, instead of connecting directly to a site, your request
goes through the proxy

Yep. But what was/is its intended purpose ?

A proxy like Psiphon reroutes traffic. Instead of going directly to a site, your request goes thru Psiphon, which masks your IP & may encrypt some
data. It's useful for bypassing blocks, switching IPs fast or adding light obfuscation, where you get speed and IP obfuscation as the benefit.

An "intended purpose" can vary, of course, depending on the privacy need.
1. Circumvent censorship
2. Hide IP
3. Add weak encryption
4. Chain with VPNs for layered privacy

My setup, for example, chains three levels (two of which are optional).
1. VPN (full tunnel)
2. Psiphon (proxy tunnel)
3. VPN browser (app-level tunnel)

Each adds a layer. You can use 1, 2 or all 3. More layers = more
obfuscation, but slower speed. Psiphon alone is fast & light.

It's good for quick IP switch or bypassing filters.

which forwards it on your behalf for the purpose of
a. Hiding your IP address

Your psiphon3 proxy is installed on your 'puter, and so it still uses your 'puters IP. No IP hiding possible.

True, Psiphon runs locally but tunnels traffic thru remote servers.
While Psiphon sees my IP address (if I run it first, that is), the
destination sees Psiphon's exit node's IP, not mine. That's IP masking.

Though that /side effect/ can be had (not a proxies purpose, so it could still 'leak' your IP).

Psiphon is definitely not perfect. Especially on Windows which is miserable
to set the proxy (remember, there are three different ways and each app
chooses one or none of those three different ways - so it is miserable).

You're right that a misconfig or leaks can expose your IP, which is why I
wrote the script to check and set the three different ways after all. :)

Used correctly, Psiphon hides your IP from visited sites, and if you put a
VPN before or after Psiphon (or both), then each is hidden from the other.

b. Bypassing censorship

I guess it could do that. A bit of a poor-mans and rather limited VPN I guess.

There's a trick that I don't fully understand so I hope others can flesh it out, but Psiphon and VPN "look different" to the ISP & to the web site.

Psiphon is designed to bypass censorship by tunneling traffic thru proxy & VPN-like methods. It uses a mix of SSH, HTTP & VPN protocols to evade
blocks. While not a full VPN, it routes traffic thru remote servers,
allowing access to restricted content.

It's not "limited" in purpose. It's optimized for reachability, not
encryption. To do that, Psiphon uses obfuscated protocols (SSH, HTTP, VPN)
to bypass blocks. It often mimics regular web traffic to avoid detection.
VPNs use standard tunneling protocols (OpenVPN, WireGuard, IPsec) that are easier to fingerprint.

TO the ISP, for example VPN (encrypted tunnel, known ports, predictable handshake) looks different than Psiphon (which may look like HTTPS or SSH, which could be harder to block due to it not looking suspicious).

To the destination website, the VPN IP exit server is often a known
datacenter, whereas Psiphon's exit node is intended to rotate or mimic residential exit nodes (as far as I can ascertain, anyway).

While it may or may not work, the point is that Psiphon may evade DPI or filtering better. VPN offers stronger encryption but is easier to detect.

c. Adding an additional layer of anonymity (e.g., to a VPN setup)

If your proxy hides your IP, than the VPN just re-hides it. What good does that do ? Also, a repeat of your first point.

To answer your question, let's go slowly here as the order matters (VPN
first Psiphon second versus Psphon first VPN second) and the fact that not every app respects proxy mattes too, as does the fact that proxies are
faster than VPN as does the fact that proxies look different to snoopers
than VPN, etc.,

See? I told you it's complicated.

That's why I'm asking for someone on this newsgroup who knows more than I
do because I only touched proxies 25 years ago and again, only a week ago.

So far you're the only one on this newsgroup who even seems to understand
it, where I was hoping someone would tell ME how this darn thing works.

Each layer masks different metadata. Stacking them splits trust.

For example, let's say I run system-wide VPN first & then Psiphon second.
1. The VPN server sees my real IP address & encrypts my traffic.
2. The Psiphon server sees only the VPN IP & forwards the traffic.
3. The final destination sees the Psiphon server
(which looks like a residential IP address).

The result is no single party sees the full picture. ISP sees VPN. VPN sees Psiphon. Psiphon sees destination. Destination sees Psiphon exit IP.

It's not redundant. It's compartmentalization.

The question still is why you think those two DLLs you named are proxies (I'm dropping the last one, as thats just a description of an intended functioning, not something you can have running on your 'puter)

Let's be clear that I never once mentioned DLLs. I didn't say WinINET or WinHTTP *are* proxies. I said they support proxy behavior. Windows apps use those APIs to apply proxy settings, including PAC/AutoDetect. PAC isn't a
DLL, it's a config script. AutoDetect uses WPAD or DHCP to find proxy
settings.

My question was about how Windows handles proxy routing, not about DLL internals.

I only started using proxies a week ago so I'm hoping something (anyone!)
on this newsgroup knows them better than I do as they're not intuitive.

Why do 3 completely different proxy mechanisms exist in Windows anyway?
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.privacy

That is, instead of connecting directly to a site, your request
goes through the proxy

Yep. But what was/is its intended purpose ?

A proxy is an intermediary between client and destination.

It can cache content, filter requests, mask the client IP, or bypass restrictions. Psiphon freeware can operate as a proxy, a VPN, or both.

What you are describing there is a VPN, with that Psiphon executable most likely to make configuring easier.

Psiphon freeware can be added on top of a system-wide VPN if desired. Then Psiphon freeware can function as a VPN or as an application-level proxy.

Psiphon freeware is limited though in that it can be one or the other.
Not both at the same time. That's just a quirk of that freeware though.

In VPN mode freeware encrypts and tunnels all traffic.
In proxy mode it handles selected traffic and may obfuscate it.

Than again, the above VPN is most always a simple forwarding service, not even allowing you access to the rest of the "VPN 'puter" you are conncting
to (its a misnomer, but a name one most users know. Like asperine).

Correct, commercial VPN services forward traffic without shell or file
access to the server. Nothing here adds access to someone else's 'puter.

And by the way: that (goes thru something which changes your IP) is what an internet modem/router does too. Yet, its not called a proxy ...

Routers perform NAT at lower layers.
A proxy operates at the application layer and can parse protocol data.

Same goes for your internet provider, or a search engine like DuckDuckGo
(and others). Those are not called proxies either.

Correct, they may relay traffic but are not user-configured intermediary proxies.

Mind you, although not mentioned, HTTP(S) proxies where meant to buffer requests for webpages...

Yes, HTTP proxies can cache content to reduce bandwidth and improve load
times for repeated requests.

My setup, for example, chains three levels (two of which are optional).
1. VPN (full tunnel)
2. Psiphon (proxy tunnel)
3. VPN browser (app-level tunnel)

I'm sorry, but #2 is meaningless to me. Whats the difference with #1 ?

#1 is a full-tunnel VPN encrypting all traffic. #2 is Psiphon in proxy
mode, routing selected traffic and often disguising it. Even more
miserable, in Windows, only some applications know how to use proxies.

For example, Mozilla browsers are great at using proxies, it turns out.
Sadly, Chromium browsers suck at using proxies. But the good news is some
have no problem using them (e.g., Brave) while others refuse (UC).

Go figure.

As for #1 and #3 ? That is most likely where the Psiphon executable comes into play...

Psiphon.exe freeware manages its own tunnel and can select which
applications or destinations use it. A browser VPN addon is app-scoped.

I don't think so. You can't have a "full tunnel" and at the same time a "app-level tunnel"...

Chaining is possible if the first tunnel allows the second to connect
through it. For example, most free public VPN servers are full tunnel.

With a full-tunnel VPN, Psiphon freeware (or another tunneling tool) can
run its own tunnel inside it without touching any extra settings because
the VPN client is already routing all outbound traffic through the VPN interface by default.

Let's speak carefully though as I'm chaining 3 different things in
different orders during testing so each situation can be different.
a. System-wide free no-registration public VPN servers
b. Browser-specific free no-registration public VPN extensions
c. The Psiphon no-registration freeware censorship circumvention tool

Your psiphon3 proxy is installed on your 'puter, and so it
still uses your 'puters IP. No IP hiding possible.

Indeed.

When Psiphon connects to a remote server, the destination sees the Psiphon
exit IP, not the local IP. The ISP still sees local IP unless another
tunnel is used first. If/when I chain tunnels, each sees only the prior.

Did you know that Windows has such a thing built-in...

A default gateway is part of IP routing, not a proxy.
It forwards packets without interpreting application-layer protocols.

No, the side effect of the proxying server...

VPN software can leak DNS or other traffic if not configured to route all protocols through the tunnel.

Than again, thats often a choice : use your own, locally configured DNS, or the one thats configured on the remote VPN server...

Agreed, local DNS can be faster, remote DNS keeps lookups inside the
tunnel. I recently posted a separate detailed tutorial on setting that up.

There's a trick that I don't fully understand...

Some tools disguise tunnel traffic to look like ordinary HTTPS or other
allowed protocols to avoid detection.

Psiphon *is* your VPN...

Psiphon can be the only tunnel or be chained with another VPN. In a chain
there is a first and a second, defined by which outer path the inner uses.

every app respects proxy matters too...

Some apps ignore system proxy settings. Proxies can be faster when they
avoid encryption, but performance depends on routing and load.

But I have no idea what the reason would be why a VPN would technically be slower than a proxy...

Encryption and encapsulation add overhead. Server distance and routing also affect speed. Sometimes just paying for the tools increases the speed.

The result is no single party sees the full picture...

Compartmentalization works if tunnels are chained correctly, though
metadata can still correlate flows.

It's not redundant. It's compartmentalization.

Understood.

I'm sorry, but are you now telling me that you would need both a VPN *and* a Psiphon server...

You do not need both. You can use only Psiphon, only a VPN, or chain them. Chaining adds complexity and latency. That's why I'm testing for the team.

It takes hundreds of hours to get where I've gotten to today, but with just
one tutorial, anyone can set up my setup in five minutes after I do that.

Like who strips the tunneled-but-not-looking-like-a-tunnel layer...

The endpoint that created the obfuscation removes it, then forwards plain tunneled data to the next hop.

Its much more likely that your local Psiphon.exe redirects your connection...

Psiphon uses an upstream infrastructure of servers and bridges to traverse filtering networks. Details vary by deployment.

Indeed, you didn't. You just mentioned both WinInet and WinHTTP...

They expose separate proxy configuration models for applications, but both
rely on the networking stack to connect to a proxy.

I said they support proxy behavior.

They support using a proxy by honoring configured settings and directing requests accordingly.

My question was about how Windows handles proxy routing...

Windows applies proxy settings from user, system, or auto config.
Applications using WinINet or WinHTTP can query and apply these settings.

Different APIs target different app types and contexts, but can point to
the same proxy address.

Why do 3 completely different proxy mechanisms exist in Windows anyway?

You have still not named which ones. :-(

Based on the information Andy kindly supplied I should have written the
query differently since Windows applications can discover proxy settings in three main ways.

Some use WinINet, which reads the per-user Internet Options settings from Control Panel or IE. Others use WinHTTP, which has its own per-service or machine-wide proxy configuration set with netsh or API calls. A third group bypasses both and uses the WinHTTP AutoProxy/WinINET PAC logic to fetch and parse a proxy auto-config (PAC) file or WPAD discovery, or implements its
own proxy handling entirely. Which method is used depends on how the application was written.

If I had known the answer was really about how Windows apps discover and
apply proxy settings, I could have made the subject line reflect that scope instead of implying three unrelated mechanisms. For example:
Re: How Windows apps use WinINet, WinHTTP, and auto-proxy to find settings

Or, with Andy's admonition in mind, this would have been shorter:
Re: How Windows apps determine proxy settings

Thanks for helping me better understand it's all about three discovery/configuration paths rather than three completely different mechanisms, which better matches the explanation we've ended up with.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: alt.privacy

A PAC (Proxy Auto Config) file is a JavaScript file used by browsers or
other applications that support the PAC standard. For each URL or host it decides whether to send the request through a proxy or connect directly. It only works for software that can load and follow a PAC file. PAC files are generally limited to controlling HTTP and HTTPS traffic and do not handle other protocols such as IMAP or SMTP. Programs that ignore proxy settings
such as Thunderbird or Betterbird (which are not browsers) will not be affected.

To make Thunderbird follow proxy rules we need an external tool that can intercept its connections. My first choice would be an open source
proxifier such as SocksCap64 which can force Thunderbird to use a proxy. However SocksCap64 cannot apply different rules for different domains and
will send all traffic through the same proxy without selective routing.
<https://sourceforge.net/projects/sockscap64/>

<https://netactuate.dl.sourceforge.net/project/sockscap64/SocksCap64-setup-3.6.exe>
Name: SocksCap64-setup-3.6.exe
Size: 6193115 bytes (6047 KiB)
SHA256: B2DA49EC9A2702CFD7625D3F152AF98A4C8E3E155DAB78686962BB3DF1F76825

This is where the cross-platform open-source NekoBox may come in handy.
<https://github.com/MatsuriDayo/nekoray

<https://github.com/MatsuriDayo/nekoray/releases/download/4.0.1/nekoray-4.0.1-2024-12-12-windows64.zip>
Name: nekoray-4.0.1-2024-12-12-windows64.zip>
Size: 41719145 bytes (39 MiB)
SHA256: A492224792C38BD1A3B7A5438B1431C5CB4260F55E9A121DB3B2CE1603F7664A

NekoRay or NekoBox is an open source V2Ray/Sing box proxy manager with a graphical interface that sits between our applications & our upstream
proxy such as Psiphon. Unlike proxifiers such as SocksCap64, NekoBox can
apply user-defined specific-domain routing rules so that some domains or IP ranges go through a proxy while others connect directly (bypassing
proxies).

NekoRay can also handle multiple protocols including HTTP HTTPS SOCKS
IMAP SMTP and more which allows it to apply selective routing to non HTTP traffic. By pointing Thunderbird to NekoBox instead of directly to Psiphon
we should be able to recreate the selective routing logic of a PAC file and apply it to applications that do not support PAC files at all.

In practice this means we can keep using the PAC file to control proxy behavior for web browsers exactly as we do now while letting NekoRay handle the same selective routing for Thunderbird. We would configure NekoRay so
that Gmail IMAP and SMTP servers are marked as direct connections and all other destinations are sent through Psiphon. Thunderbird would be pointed
to NekoRay's local listener instead of Psiphon directly so NekoRay can
enforce those rules. The end result is a unified setup where browsers
follow the PAC file and non browser applications such as Thunderbird follow equivalent rules inside NekoRay giving us consistent split tunnel behavior across all software.

I am testing it as we speak but I post this 1st to ask if anyone has a
better solution to force Thunderbird to selectively route so that all
traffic goes through the proxy except the Google GMail server traffic.
--- Synchronet 3.21a-Linux NewsLink 1.2