Linux - GeneralThis forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am concerned about possible exploits employing Java/Javascript to capture my real IP. If one employs a proxy (one or more in a chain), to my mind even if these proxies are anonymous and only reveal their address to the target server, and not my real IP, there seems to be a nagging thought in my mind. What if sites such as Hotmail/MSN which insist you use Javascript could run a java program which effectively calls the ipconfig/ifconfig routine (on W32 or *nix/Linux) and they grab the output of this routine (or an equivalent written in javascript or other scripting language) and filter out the real local IP of the workstation? That would effectively make the use of the proxy useles!!! Does anyone have any insight into this area, could anyone confirm if that is possible and if so if they know of such scripts?
Similarly, closed-source programs such as skype/ICQ/MSN could be running local scripts to grab the local IP address on the workstation they are running on and forward it to their respective loging servers. Does anyone know if this is the case with any of the IM programs mentioned in this post (perhaps there are some developers who have worked on such programs and may have insider info on such matters).
If what I suspect is true, anyway to stop such scripts acquiring the local real IP whilst maintaing operation with the service ?
Does anyone have any tips on how to monitor the Java/Javascript activities when using Firefox, IE, Opera under W32 and Linux? I know in Firefox you can switch off scripts using a plugin and there is Toos|Javascript console, any guidance for getting the best out of this console or other similar utility would be greatly appreciated.
I am concerned about possible exploits employing Java/Javascript to capture my real IP.
Then disable it. Those are not exploits but "creatively making use of loopholes" or even "features". They can't and won't need to run "ifconfig" to get the IP.
even if these proxies are anonymous / Similarly, closed-source programs such as skype/ICQ/MSN could be running local scripts to grab the local IP address on the workstation they are running on and forward it to their respective loging servers.
It is a misconception that those proxies are "anonymous". TCP demands each host in the chain to know the hosts it exchanges traffic with. So in theory identity recon is not impossible. And even if protocols are different IM's in general make use of one or more central hosts else logging in to an account and routing traffic wouldn't be possible.
Other ways of getting an IP are using anything that is script capable like say Flash, forcing image retrieval over HTTPS (lotsa ppl don't block or proxy that), trying to use direct connection to share files, trying another protocol (say href=telnet://some.ho.st) and DNS lookups (say SOCKS leakage).
If you're concerned for privacy for the right reasons (UA citizens, sharing of sensitive information, etc, etc) you best take precautions like strict firewalling and content filtering, disabling any tracking and identity-revealing features, plugins and scripting and stay away from using applications that use a centralised setup. For some apps there may be decentralised alternatives (think P2P-like), for browsing there's JAP and Privoxy/Tor. But even those should not be seen as an ultimate guarantee for anonimity. Also note Tor is decidedly low bandwidth (high latency) and the Tor community doesn't take kindly to bandwidth hogging and illegal activity in the cracker/spam sense.
First, I do disable Java/Javascript whenever possible, HOWEVER many
sites simply do not work properly unless you have Javascript enabled, these include many online booking sites for airline tickets, MSN/Hotmail accounts etc. So if you wish to book a flight with a particular airline, you really have little alternative but to turn Javascript on!
btw, do u know which javascript functions may be used to capture the real IP of the workstation even if going through a proxy? And how can I monitor my system to trap those functions from either not being able to run or at least see them in action (thinking Java Console here in Firefox)? Do any of the packet sniffing tools enable you to see this java activity?
"It is a misconception that those proxies are "anonymous". TCP demands
each host in the chain to know the hosts it exchanges traffic with."
I value your opinion and cannot contradict you, however to my mind
either the target host you are connecting to would have to do packet sniffing to get your origin IP istead of using the HTTP headers information which is far simpler, and if it was very easy then the guys at TOR are wasting their time I guess? My point is that any form of anonymity is better than no anonymity so I want to know what is possible.
"And even if protocols are different IM's in general make use of one or more central hosts else logging in to an account and routing traffic wouldn't be possible."
You're correct, most IM apps do have central servers, however Skype only has a central server for initial login authentication, the rest of the traffic flows on a P2P basis using super nodes which are actually client workstations and do not belong to Skype corp. I do not want my IP to go to the login server (by routing through an anonymous proxy) and neither do I want it to go to other users or supernodes.
"forcing image retrieval"
Forgive my lack of knowledge, which "image" are we talking about? The pic(s) used to make up a Flash presentation?
I concur with your views on other "leaks". For those interested, I
believe SOCKS4a is better for avoiding DNS lookup leaks (see privoxy/TOR documentation for further info).
I concur regards comments about TOR.
To my understanding JAP & TOR are similare concepts, onion routing,
correct? Anyone have preference for technical reasons as to which is more anonymous JAP or TOR or is it not really possible to quantifiably answer this question?
Simple Litmus test. IMNSHO people requiring anonymity for compelling reasons (think necessity, not luxury) have a clear view of their motivations and have gained knowledge about how protocols, applications, detection and evasion works. They will take a strict POV and discard partial anonymity as having no anonymity at all, view usability vs anonymity trade-offs as necessary limitations and focus on ways of communication that provide total anonymity.
So, decide for yourself which side of the line you are on: if your reasoning is based on necessity, then that same necessity and your natural curiosity will have already driven you to reading technical articles and tutorials explaining protocols, anonymity, pitfalls and such. With all due respect but if your reasoning is based on luxury take a few measures like using a filtering proxy to (selectively) disarm new threats before they reach the application and don't invest too much time thinking about and tinkering with the general idea of anonymity.
unSpawn, thx for your comments. I concur with your views and am already aware of the tradeoffs. Call me old fashioned but I actually do like to tinker with the details.
I am interested from purely a technology viewpoint what is possible and how its done. So if anyone has such knowledge I would welcome their input.
Regards filtering proxies, to my mind if you use a service such as anonymizer then they will take care of the java/javascript/cookies issues and provide a safe interface for you, however then you still are not anonymous as they know your real IP and can divulge it to a 3rd party. If u use a locally running proxy on your workstation then my original question is still valid becuase the remote site could be aware that one is using such a proxy and write scripts to cirumvent the proxy's code in order to get your real IP.
As an expansion to the above question... If lets say I have java/javascript turned off in browsers such as Firefox, Opera.. and only have Cookies enabled, the code that is used to set cookies by sites, can it to be used to run any script which may captuter the local IP as seen by the workstation running the browser even if the browser is set to use a proxy server?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
