I still don't think you understand what you are asking.
Your gateway IP has to be known to anywhere you obtain information from as that is where it sends the information to*. Your credentials to any site have to be identifiable or you eill not gain acces.

*and that will not be your local IP address in the majority of circumstances because of NAT so, no, a web site won't often see the IP address of your device.

No. I do, you just don't get it.

Not true or Tor / VPN would not fuction in a fully locked down mode wherein all two way information exchange is locked down as listed previously. However, "one way routing" requests through obfuscated chains only function *correctly* in "static" mode. In other words it functions fine for doing things like reading the text in a news article. But just as soon as you want to interact with the site (post, email, streaming, etc) nothing works b/c there is no two way exchange of info, including routing. And in such cases "my IP" would show in the remote server logs as the last IP in the chain; which is the whole point of Tor and 1/2 the point of a subscription VPN service.

Correct, but, if the counter scripting were sufficiently elegant I don't think that "identifiable" would necessarily have to equal true. So long as you could figure out a way to report false info to the remote host in such a way it would still direct the packets back to the VPN / Tor; which you would also have to be "honest" w/ so that routing is not broken.

Do you have any ideas on how to start to design such a project?

--EDIT--

We cross posted on your edit:

You are wrong. IP obfuscation can be busted w/ session cookies.

Various types of cookies can poll system info directly from the local host, including the real IP address.

You do not understand then. Your gateway IP must be known or you will not receive any information. Sorry, yes, I am snarky but please read how TCPIP works. That's how TOR os flawed and has been shown to be so also.

YES, YOUR REAL IP MUST BE KNOWN ***TO THE FIRST NODE IN THE CHAIN*** BUT NOT THE LAST!!!

At least not for static requests. I am talking about figuring out a way to extend that to interactive requests; which I fully admit may not work b/c it could break routing. But, then again, it wasn't all that long ago that people said you'd die if you broke the sound barrier. Just b/c something is impossible is no reason not to try to do it.

TBH, in this case I think I have a better understanding than you do.

Please provide documentation of the specified TCP/IP based Tor "flaw".

I am sorry to keep being snarky but TOR is "an exit node" and that"exit node" is your IP address for that transaction. Yes, sometimes, TOR will give you another exit node but for that transaction that is your IP address.
Please just read the news for TOR exit node flaws.

Once again: Please provide documentation for the supposed TCP/IP based Tor "flaw".

However, even w/o "flaws" IP obfuscation can be defeated through the plethora of processes that fall under the generic term "session cookies" by polling the local host for information which includes your *real* IP address, not the address of the remote node.

Sorry for the inconvenient dental work, I hope that you at least received some satisfaction from it!

But from this side of the conversation it can be like trying to help a person with no teeth eat an apple - painful!

All kidding aside, and no one is being snarky or calling you a moron, I too can't help thinking that you do not understand TCP and HTTP exchanges as well as you think you do. Or, perhaps the focus and vocabulary of your knowledge set is just much different than most others that we have encountered - that happens.

Anyway, I still have not understood your points well enough to contribute anything useful here, so I'll sit here in the waiting room, try to avoid another root canal, and see if a "Eureka!" moment occurs!

Good luck!

Here you go:
http://www.tomsguide.com/us/spoiled-...ews-18237.html
And I don't know what you mean by "real IP address" do you mean the LAN address or gateway IP address provided by your ISP? Neither should be provided to any site you visit if you're using TOR or a VPN as TCP/IP doesn't work like that or, at least, shouldn't.

OK, one last try:

273, that is not a "TCP/IP based flaw" in Tor. That is a malicious exit node; old news, I've known about them for more than decade. They have nothing to with what I am talking about.

Also, the exploit involved in your link occurs in the session layer (SSL) and has nothing to do with TCP/IP which occurs in the network layer.

Your "real" IP is the IP provided to you by your ISP; which is visible to all the world if you are not running any obfuscation / security measures.

You are right when you say that it is not supposed to work that way.

However, the browser "leaks" the real IP through various processes that have to be allowed to occur to receive interactive content such as polling the local host http header during the creation of various types of items that fall under the generic term "session cookies" and / or by java scripts.

There are also some processes that border on being exploits (if they are not outright privacy busting exploits); such as setting your server to make unnecessary WebRTC hooks in order to force a real IP leak.

WebRTC killing Tor, VPN, IP Masking, Privacy

Problems of this nature is why the Tor browser is locked down to kill all java scripts and not allow any cookies to be set. But that unfortunately "breaks" most of the internet. It is fine for reading news articles, but you can't get any interactive content that way; like posting to a forum.

And allowing people to communicate anonymously is the whole point of Tor. All I'm talking about doing is plugging browser leaks so that Tor / VPN / Proxies work the way that they are *supposed* to and allow them to handle the TCP/IP routing without the browser exposing your real IP address.

Astrogeek, I never went to school for this stuff. The only terminology that I have is what I read on the web and what I picked up in the Unisys call center being a T1 for MS and what I'm being told is the correct terminology at my new job of being a T2 a Verizon. I don't know how to make anything more clear. Nobody else seems to be having a problem understanding me?

After having slept on things my idea is finally fully formulated, and rather simple.

I need to learn how to write a java script that can be inserted in to greasemokey / scriptish (or similar) that would detect the IP address of the last node in the chain (Tor exit node, VPN, Proxy), would detect the server calls that expose the real IP address as listed above and then in response instead reply with the IP address of the the last node in the chain.

This would not break routing as the requests are supposed to be coming back (routed) to me through the last node any way. It would make Tor/VPN/Proxies work the way they are "supposed" to and plug "browser leaks".

It also would not effect the interactions at the TCP/IP / network layer at all. The only difference would be that the SSL transactions in the session layer would be "properly" routed back to the last node in the chain; as they are *supposed* to be any way.

And if the script were elegant enough it could also be used to help provide even more anonymity by spoofing "finger-printing" type information that is non-essential to a client / server interaction which can be stored in various types of "cookies".

The idea is so basic and so simple that I'm stunned that no one has done it yet. Unless it is simply beyond the capabilities of java scripting / scripting engine browser addons to preform the necessary actions.

And in this area I must admit I am completely ignorant.

Does anybody know enough about js / scripting engine browser addons to be able to tell me off the top of their head if js / scripting engine browser addons could even do this?

If so then does anyone have any good resources on how to write .js and in particular working with it's functions that detect other scripts running, replying to them and its networking parameters?

There is no need to make any of this THAT complicated. The tool you can use that does what (I think?) you want is called "Paros Proxy". It will let you modify the http headers to spoof whatever you want within the guidelines of RFC 2616. It does a number of other things as well. However I do not see how you will ever accomplish what you are attempting to accomplish. Maybe you are not sure how to explain it? A simple ruby or python script may be all you need though to proxy and spoof your http traffic. Honestly I am not sure what you are trying to do.

Here are some links that may help. They should also help you to be safe with what you are trying to do. I wouldn't recommend Tor to anyone at this point unless I was sure they were capable of 100% anonymity. I also wouldn't recommend that you use Tor from your home IP address- or even with a vpn. This: Home <-> VPN <-> ISP <-> Tor <-> Destination is not secure.

http://sectools.org/tool/paros/
https://www.w3.org/Protocols/rfc2616/rfc2616.txt

Some interesting, related news.
https://news.slashdot.org/story/16/0...tm_medium=feed
https://web.archive.org/web/20160430...ers-criminals/

I have explained the matter sufficiently, thank you. I am sorry if you do no comprehend the subject.

It is obvious, as you say, that yo do not understand what it is that I am trying to achieve.

Thank you for the tut in Tor basics. Have you read the whole thread? Or any of the multiple other posts that I have made about sec and privacy in general and Tor in particular. It is obviously obvious that I really needed a NT basics 0.0001. Once again, thank you.

I don't think the recommended tool has the ability to do what I am speaking of as the browser leaks in question occur as the result of processes that occur on the local host.

If current technologies rectified the issue at hand then I don't see why such tech would not be baked in to Tor / VPN solutions already? Or why the issues would even be occurring in the first place.

A proxy would have to be local on my net, between me and the world and intelligent enough to intercept and rewrite not only headers on the fly but the multitude of processes that relay local host info under the umbrella term "session cookies" as well as info generated by java scripts.

And, to fix the specific issues that I am referring to the proxy would still need some type of scanning engine that would detect the IP of the last node in the chain and spoof it as the response to all inquiries that can leak the real IP address from the browser.

Even if there is a proxy that does posses such a tool I seriously doubt that it would be a tool from 2005 running java 1.2. (I seriously hope that tool is not a component of your security framework.)

However, its more current fork OWASP ZAP may be of interest. Although I already have squid running as an AV proxy on my gateway. Changing it to a full web proxy would be trivial. However, it still would not include a tool that would be capable of what I am trying to achieve and the scripting work would still need to be done to create an engine capable of what I am describing.

So, now that we have chewed the basics to death:

Does anybody know if .js and scripting engine browser addons are even capable of this? Or would it have to be moved out of the browser and on to a local proxy with a full blown dedicated engine, AI, NT stack, etc? Which, obviously would be even more complex than what I am already talking about trying to achieve.

I pointed you in the right direction of software that is similar to what you are requesting. I know Paros is outdated, but old does not mean broken. I assumed that you were qualified to modify Paros (so it would run on a newer version of java), or create something similar with python, ruby, or whatever programming language you choose. What you are requesting can maybe be accomplished with python using the Twisted framework. It can maybe be accomplished with Ruby by writing a proxy service that binds to your localhost. However, I still do not understand what you want to accomplish.

I guess you are just so much more superior than the rest of us that we cannot understand your advanced communication skills. Maybe your next post will clarify what exactly you are communicating so the rest of us lesser beings can understand you.

Sorry for trying to help you out.

We need a tool where certain people can be locked out of a thread or like some forums have where you need X number of points before you can post in certain threads.

I don't see where I can explain this any more clearly:

THE BROWSER WILL LEAK YOUR IP! I'M LOOKING FOR A WAY TO PLUG THE LEAK!

I can see python or twisted being able to do what I am trying to do. But that does not change the fact that unlike yourself I am not a cybernetic scripting machine and I do not yet posses the skill level to create scripts of that complexity.

So the first thing I'm trying to figure out is if it can even be done before I go running down an unproductive tangent.

But how can you answer that question when you still don't even get what it is I'm trying to do?

And, BTW, why should I waste my time rebuilding somebody else's old crappy software when there's already a gazillion things that work OOB?

I am not going to argue this any further.

If I keep getting argumentative and unhelpful responses I will just "solve" the thread and move on to my own resources. It would be far more productive.

So, does anybody have anything helpful to contribute?

I think you are attempting to stuff one leak, where there are several dozens we simply are less or not aware of.

If a counter scripting would actually be possible against this vulnerability of a information leak in some very specific scenario, that would be nice. But obviously the other side consists of legions of experienced professionals. If you are so unfortunate to meet a determined adversary, he will very delicately modify the use of cookies, or make use of a lot of other vulnerabilities.
Even if he doesn't intentionally new leaks will just happen by modifications of new versions or methods of anything.

I'm not saying that we need to be sheep, like 99 % of internet users.


In my opinion we would do better to abstain from services who use invasive structures. If they won't die from it, because of the other sheep, who cares. Just opt out anyway.

e.g I block out any facebook, don't use whatsapp, don't ever login to google via PC, reduce usage of google search. There are two internet forums where I need to allow some ajax.googleapis.com scripting to login. I alos tried to do a very basic (ridiculous) workaround be saving the cookie after login, and disallow the scripting, and restoring the cookie later to re-"login". But probably they are a lot clever than that and can still integrate this cookie data with the profile of virtually any website I surfed since the 90's. I am maybe not willing to accept this for all future, and rather will maybe stop using these sites. Better crude attempts then no attempts, anyway.

I think it's not worthwile or realistic to engage in counter scripting, even less if one is no professional hacker and intimate insider of this materia.

On my smartphone (which i consider a direct hell interface to google, I seriously need an alternative phone OS) I block cookies altogether, no matter what, what won't work just won't work, period.

Maybe one day I will block all cookies, and simply do without these websites. Maybe one day I will pull the plug to the internet altogether. Before any upcoming IV. Reich seizes the whole infrastructure.

Imagine there's no internet - it's easy if you try. More time for hiking / climbing / skiing. Or surfing, women or whatever.

Your gateway IP address will be shown and there is no way to stop that. That's how an address works.
So, yes, if you're using TOR and if the IP address your ISP gives you or the IP address you're using on your LAN is exposed you're not using it properly.
This is not about cookies, by the way.
If you can show a site which makes a browser leak ISP provided and, even LAN IPs when using TOR please tell the TOR people about the flaw in their software.
This seems to come down to how much you want to "leak". You start with listening to broadcasts and, after that, you leak.