^{from FF bsky post:}

1. Browser-level (ETP, Total Cookie Protection, anti-fingerprinting)
2. Network-level (built-in VPN, IP masking)

IP masking?? Tell me more.

Okay...

It basically just means that your IP is obfuscated, which I think will happen with any VPN as you will be assigned the VPN IP.

I'm in a middle ground - my IP is *not* masked, but the geolocation is usually far from my actual machine since it geolocates to whatever Starlink ground station I'm going through, and that can change based on satellite location.

https://nordlayer.com/blog/how-to-hide-your-ip-address/

I was hoping it was client-side IP altering.

Client-side IP altering should be impossible using https.

That would be like spoofing caller ID, but that is only possible because 1) it's a bolt-on to an old system that has no need of any such thing and 2) the caller has no need to have the receiver be able to call them back (in fact mostly doesn't want them to).

If you spoofed your IP client side (presumably on your router, not your browser - that would truly be impossible), you could in theory *send* something, but you would have no way to get a response. In practice, even sending something requires you to share your IP since there is usually some back and forth communication - DNS lookups, SSL/TLS handshakes, packet tracking, etc.

So you have to hand this off to some sort of proxy that handles the IP-mapping and lets the other party see its IP but not yours. That allows the response, and then it forwards it on.

So a VPN/proxy is more like call forwarding than spoofing caller ID.

Call forwarding only works if the phone being called knows your new phone number and how to call you. If you just randomly change your phone number on the "client" end, none of your calls go through unless you give out the new number, at which point you're back where you started.

You can spoof IP addresses in headers
https://owasp.org/www-community/pages/attacks/ip_spoofing_via_http_headers

But it wouldn't do what you want (AFAIK)

TIL...

Actually, if a server is poorly configured, it might trust X-Forwarded-For headers over the actual origin IP, taking the origin IP to be a proxy and the X-Forwarded-For IP to be the originating machine.

In that case, the response should go to the actual IP, but it might geolocate you in the tracking software based on the X-Forwarded-For IP.

But I think it's rare that would be the case and is generally considered a faulty setup.