Remain Anonymous with Javascript on ?

Is it possible to stay 100% anonymous under the following conditions?

1. Running secure VPN tunnel software (ie. Total Net Shield)
2. Running firewall to ensure that your browser can only make connections to the local proxy (VPN)
3. Disable Java and ActiveX
4. Enable JavaScript

 

I have Xerobank and use all of the javascript I please...Woo Hoo!

 

LOL...Caspian, you always crack me up with your spamvertising answers to people concerning xerobank. How much are they paying you ? Or do you get free service for promoting a US one-man-show ?

As for javascript; js alone will not do much harm, at least so far no single attack based alone on js demonstrated it could reveal the IP of computer. But i'm happy to hear if anyone has some tests we can check !

 

@oldymin

What internet anonymity approach do you recommend, and why?

Using your preferred approach, what results do you get at <http://decloak.net/> and <http://deanonymizer.com/>? I'm using multi-hop XeroBank, and neither finds my true IP. If you know of a site that might be more thorough, please post the URL.

What are your <http://Speedtest.net/> results? I'm currently getting ca. 2 Mb/s down and ca. 0.9 Mb/s up on multi-hop XeroBank.

 

I remember there was a thread here that was deleted by a mod that linked to an article talking about ''a new weapon'' available to police cyber crime units that could locate people who were using secure vpn or tor proxies using any form of internet connection cable/fibre/adsl etc. Not much detail was given except that it relied on the person having a wireless router.

I guessed it worked in the same way that googlemaps knows your approximate location based on the known mac address's of wifi signals in the vicinity of your home. This requires the google gears browser plugin. I don't know how police are doing this, could it be as simple as a script that activates the wifi geolocation when a person visits a particular website or maybe it's a trojan the person gets infected with?

It's reasonably man power intensive. The software identifies your approximate location, and then a tracking vehicle would have to locate the home from where your wifi signal is coming from.

So, i'm not sure you are as safe as you think if you get on the wrong side of the government/police.

 

Have you seen this thread? Can Java Script Show Real IP address?

 

I have yet to see an example where javescript ALONE is used to get a user's real IP.

 

hi there,

any recommendation beside xb?
hopefully is free.... going to install either packetix or ultravpn......
any thoughts?

 

I believe that Caspian’s confidence in XeroBank is warranted. If technical information exists that shows otherwise, it would be worth highlighting in this thread.

 

I believe that Caspian’s confidence in XeroBank is NOT warranted. If technical information exists that shows otherwise, it would be worth highlighting in this thread.

You see, there are 2 different sides of the same "coin". The beautiful part is that you can't prove yours and I can't prove mine

And to answer to the original poster's question: yes, it is possible.

 

I'm connected to XeroBank multi-hop via OpenVPN and exiting in Amsterdam. Only the XeroBank exit IP shows up in testing at <http://decloak.net/> and <http://deanonymizer.com/>, in both cases with scripts permitted. Also, only XeroBank's DNS nameserver at the same exit IP shows up in Steve Gibson's DNS spoofing test <https://www.grc.com/dns/dns.htm>, and it gets a moderate-excellent grade.

Of course, any properly-configured Tor setup should yield analogous results, I presume (although I'm not sure what DNS nameserver would appear).

Any y'all know tougher decloaking tests?

 

I can confirm that a properly-configured Tor setup gives good results with both anonymity checkers.

 

Those two anonymity checkers aren't a good way to check anonymity really. I checked them with a simple http proxy I wrote myself, I have Java and Javascript enabled, only one of them and only through flash could detect my real IP....

 

No. Anyone who tells you it is possible to be 100% anonymous is wrong. Anonymous from whom is the question. Who are you trying to be anonymous from? Snoops and hackers? Your ISP? Your destination address? Your local authorities? Your state authorities? Your national authorities? International authorities? Multinational authorities? It all depends on what level of observation you are trying to evade.

 

Mea culpa. It's tempting to focus on anonymity from destination sites, because failure is readily observable and success is reassuring. The rest is a morass. If one of us goes down, perhaps the rest will see the news, and learn something about how not to proceed.

 

XeroBank describes the xB Browser as being “incapable of leaking. It can view full flash and Java and JavaScript without worrying about man-in-the-browser attacks, hijacks, or exploits” (see here). Doesn’t the same statement apply to xB VPN?

With respect to JavaScript specifically, how is xB VPN less than "100% anonymous"?

 

No. That means that your anonymity level won't drop because of running javascript; Although the anonymity level XeroBank provides is very substantial, it is not an evaluation of the anonymity level provided. That statement should be evaluated as you're still x-degrees anonymous from y-observers, even using javascript and rich medias.

I could say that it is possible that you could craft a javascript-based attack that would be specifically trying to do things like turn off your VPN and change your routing, which could be true, but I've never seen one. However in a universe where that doesn't happen, it is not a generic threat like javascript relatively can be. Using the XeroBank VPN is active protection against semi-passive threats like Javascript.

 

You probably never saw one simply because it is not possible. If you think it is possible to do such things, then by all means, a proof-of-concept is more than welcomed

So is using other VPN solutions or Tor.

 

They can track down anyone they want to if they choose to do so by performing entry/exit correlation. Xerobank is a lot more vulnerable to this than TOR due to the fact that TOR has hundreds of thousands of users in its network where as Xerobank probably only has a few hundred.

 

That's probably true. However, someone would have to be rather interesting to warrant global traffic analysis, no? OTOH, I can imagine that evil Tor exit nodes could troll passively. Are there ways to minimize that risk?

 

anybody who has access to traffic logs can perform entry/exit correlation and there are many people who do have access.

with regards to tor the best option would be to donate your own server to the tor network that way you can connect to it directly and ensure that it is not logging.

 

XeroBank is actually stronger anonymity than Tor due to our multiplexing and node optimization and traffic controls. We have significantly higher crowding per node than Tor does by an order of magnitude. Sadly, anonymity can't be measured yet, as no metric exists, but... It is a fallacy to think the more nodes you have the higher your anonymity. A computer can correlate traffic and does not distinguish between a network of 2 computer or 2 million computers, it can track it all. XeroBank employs anonymity techniques and technology that Tor does not have nor deploy, nor is it vulnerable to evil participants as Tor is. Btw, same traffic + more nodes = less crowding = smaller anonymity set = lower anonymity. If you want to increase the anonymity of tor, the best method is to NOT run a node, lol.

Lol. I'm not saying I never saw one period, i've never seen one in the wild. We've used javascript to completely destroy anonymity before. Look at the control port exploit against tor, 100% compromised. There is another unpublished attack against IE that has been developed that can turn on javascript in the browser, even if you have turned it off, and then it can be used to turn on java, even if you have it disabled, which can then do almost anything. The issue with javascript isn't that it can't be done because it certainly can and has, it is that nobody is really doing it actively.

 

This is FUD, not proof.

That is a 2 years old issue, that was solved since then.

This is a specific browser vulnerability, that will also be patched (probably).

As you were saying, there is no 100% anonymity, but that is not because JS, but because other vulnerabilities.

 

Javascript is primarily and almost exclusively used in... wait for it... web browsers. Trying to say "oh, well that is a web browser issue, i'm talking about just javascript" is foolish. They come together, they get exploited together. A javascript bug to exploit a browser flaw, a browser bug to exploit a javascript flaw, it doesn't matter. The two culprits are always together. As for the tor control port exploit, it happened. It used javascript as the primary method of attack and deanonymized the entire tor network. It doesn't matter if it was patched, as the exploit is a demonstration of what is possible if you have enough determination and intelligence; the fact is that javascript was the primary attack vector in the largest successful anonymity compromise that ever existed. Is javascript a threat to anonymity? Absolutely, no question, proven, case closed. It doesn't matter specifically that it was javascript, but javascript was weaponized and worked across every single browser, firefox, ie, even the text-based lynx browser got compromised! Anytime you allow foreign code to run on your computer, there is potential for compromise.

 

JanusVM is free, and it should pass the various anonymity tests, even with JavaScript, Java, Flash, etc. on.