Can Flash/Java/etc. reveal your real IP?

[JustJohnny]

It seems that it is "common knowledge" that active scripting plug-ins, like Flash, Java, Silverlight, ActiveX, etc. will reveal your real IP even when behind proxies or VPNs. This is stated on the Tor website and also repeated in numerous threads (here and elsewhere). But has anyone ever seen this done?

I went to a couple of de-anonymizing websites (decloak.net, deanonymizer.com, what-is-my-ip-address.anonymous-proxy-servers.net, etc.) and they were not able to detect my real IP, even with all scripting enabled. I tried this with both VPNs and just proxies. So clearly this is a good thing, but I want to understand what is going on. Are there some other sites that have better detection methods I should know about?

I can understand why people are paranoid about letting 3rd party code run in their browser, I use NoScript too of course, but maybe this threat is blown out of proportion. I mean, can anyone show me a site that can reveal my real IP? If not, why do people continue to spread the notion that using plug-ins like Flash will automatically blow your privacy?

[CasperFace]

Flash/Java cannot reveal your real IP if you're on a VPN. That's the whole point of anonymizing ALL network traffic.

On the other hand, if you're using a regular HTTP proxy (i.e. 123.45.67.89:8080) then Java/Flash will most definitely reveal your real IP (or the IP of your VPN, if you're using a VPN in conjunction with a proxy)

The decloak.net site should be correctly reporting your real IP under External NAT (Java) and External NAT (Flash). If it still shows "unknown", you should double-check that your plug-ins are installed properly, and also be sure to completely disable or uninstall NoScript.

There are two different things we have to consider:
1) Tor usually uses the browser's proxy settings to anonymise traffic. Flash and Java are separate apps that can and regularly do disregard those settings. They don't know any better but to use your regular internet connection.
2) Flash and Java are often exploited and full of security holes. If your PC "knows" your real IP, an attacker can see it too, he could also see your router's MAC (geolocation), private files with your name on it...

Protection against both: use a VM and proxy everything through Tor/VPN.

[lotuseclat79]

What katio says is correct. Do use a VM and proxy everything through Tor|VPN, otherwise:

If you use Firefox w/Torbuttion and NoScript over Tor, you can effectively prevent Javascript from revealing details. If you use Tor to get to a trusted website - and need to turn on the temporary allow feature of NoScript - I assume the details would be vulnerable, but probably only within the Tor network - and at the trusted website.

With Flash installed to watch vids over Tor - just assume that your details are vulnerable as above.

-- Tom

[JustJohnny]

Well I am aware that Flash in particular (but also Java) have been known to have security vulnerabilities. If an attacker could exploit one of these remote code execution vulnerabilities then they could do a whole lot more than just see your IP (like install a trojan, virus, keylogger, rootkit, etc.). In that case, having your IP exposed might be the least of your worry.

The obvious solution is to disable plug-ins, using NoScript or similar. But this quickly becomes an issue. Many sites require scripting: if you want to watch videos, CAPTCHAs on account sign-ups, certain scripted interfaces, etc. In most cases you will only enable scripting on trusted sites, but sometimes there is a video on a random blog you might want to watch without revealing yourself. So it would nice to be able to do this safely.

It "would" be nice? I already provided a, the solution. More specifically you will want to use the snapshots feature of your VM software. Configure everything, snapshot, then use it and after the session roll back all changes. Isolate the VM, don't enable any kind of filesharing, don't use it to log into sites that are linked to your real world identity.

[JustJohnny]

So I guess the solution is just to use a VM. The snapshot idea sounds good too, since even if you were compromised it would only last for that one session. I am going to have to try this when I get a chance.

Also, would it be better to run the VPN on the host OS and let the VM piggy-back on that? Or is it somehow better to run the VPN inside the VM? I guess you could chain VPNs as well, one in the host, one in the VM. That might be cool.

However, I am still not sure using a VM is 100% secure. For example, if you were using a PPTP VPN, couldn't IPv6 traffic still leak (even within a VM) and expose your real IP?

Great questions and sorry I have to say this, but I don't have the answers.

All I can tell you, 100% security does not exist and any way you set up your VM it will increase your security tremendously. PPTP should be avoided altogether. With iptables for example you can lock down a Linux VM to the point where no outbound traffic except VPN/Tor will be allowed, leaking would therefore require a system compromise, then an attacker could simply disable the firewall. Based on this it would seem like putting the firewalling and routing outside of the VM is more secure. This would require more in depth research which I haven't done.

[vtol]

Quote:

Originally Posted by JustJohnny

Also, would it be better to run the VPN on the host OS and let the VM piggy-back on that? Or is it somehow better to run the VPN inside the VM? I guess you could chain VPNs as well, one in the host, one in the VM. That might be cool.

However, I am still not sure using a VM is 100% secure. For example, if you were using a PPTP VPN, couldn't IPv6 traffic still leak (even within a VM) and expose your real IP?

IP6 traffic could be limited to internal network only, there is no real demand yet in the internet and as stated in another thread at wilders the broad migration will probably take a few years, also considering that visualization and cloud computing may free some IP4 resources.

I have IP6 entirely off, both at the host and the guest for the internet and not yet seen an adverse effect, not withstanding that most of the VPN providers abstain from implementing it for the obvious reason.

the VM traffic will certainly be routed through the physical network adapter of the host, but can be bridged and thus separated. in this scenario a VPN on the host will not be utilized by the guest, thence different IP4 addresses. it is also feasible in this scenario to run a another VPN on the guest - that is basically my setup.

the other option is to tunnel the guest traffic via NAT through the host, in which case the guest gets the same IP4 address as the host and also utilizes any VPN on the host