Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When using TOR it is recommended that you disable javascript and all other scripts because they can be used to detect your IP, defeating the purpose of TOR.
But there are some sites that simply do not work without javascript.
Is it possible to keep all javascript functionality but disable just the functionality that is used to leak your IP?
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
unfortunately javascript has nothing to do with identifying your ip, that information is sent with HTTP host headers otherwise the web server wouldn't have a clue as to where to send the reply, in short completely hiding your ip would make it impossible for the webserver to send a reply with the requested information, javascripts that use/show this information are simply getting the info from the HTTP host headers
Then why does the TOR homepage strongly recommend disabling javascript among others?
Because some aspects of javascript can be abused (in general), as any tool can be. I don't think javascript is your issue, though. You want to be hidden. You can only hide so much, IMO, but TOR or any proxy should provide the results you want. It won't hide IPs but will utilize an IP that makes it difficult to track YOU.
But, if you're afraid of javascript, use noscript.
I have noscript already. What if your ADSL router is at http://192.168.2.1 and javascript from a web page attempts to load that page up guessing the name and password, and log in to the router to look up the status page where the adsl ip is shown?
I have noscript already. What if your ADSL router is at http://192.168.2.1 and javascript from a web page attempts to load that page up guessing the name and password, and log in to the router to look up the status page where the adsl ip is shown?
FWIW, I would agree that it's completely insane to allow JavaScript (or any kind of executable content) when using Tor. The only exception would be if it's delivered via SSL (HTTPS) from a trusted site, which NoScript lets you specify. As for the attack scenario you've provided here as an example, the ABE component of NoScript would protect against that.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
if you really wanna hide your IP of course there are various proxy sites out there that will allow you to browse websites via their internet connection to mask your ip address, not sure this is what you are looking for but its one way of remaining anonymous
if you really wanna hide your IP of course there are various proxy sites out there that will allow you to browse websites via their internet connection to mask your ip address, not sure this is what you are looking for but its one way of remaining anonymous
frieza, he's already using Tor. The question he's asking is with regards to keeping the IP from being revealed by specially-crafted JavaScript, which resides on a completely different OSI layer.
What are you guys' thoughts on filtering this sort of JavaScript on the Privoxy server itself? Could one isolate and strip out the specific JavaScript functions used to grab IP address info?
EDIT: Nevermind, this approach would suck because it wouldn't work when HTTPS is used.
This needs to be done in the browser itself to work right, AFAICT.
If you run your browser in an virtual machine, wouldn't that automatically eliminate the IP address information available to any JavaScript, Java, Flash, etc. code regardless of their technique? It would seem to me like it should limit them to the IP address information of the VM guest, which you could make whatever you want. My bloodstream is running low on caffeine so please don't hesitate to smack me upside the head if there's something totally obvious which I've missed.
I am already using vmware virtual machines and have disabled all networking on the host, the virtual machine gets connected to the internet through a usb port to the adsl router. So it's just simulating a real computer connected to the adsl router with NAT. Even if javascript gets the ip as if it called ifconfig, it would still be the local ip, not the external ip, right?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.