Using Google anonymously? Not possible!!

So I learned that if you have Java on, Tor is worthless, since Java can just send your real IP address back to the webserver. Great. So I turn off Java and Javascript. I then go to google. But to my surprise (or not) Google no longer is sleeping with me. It says,

Google
Error

We're sorry...

... but your query looks similar to automated requests from a computer virus or spyware application. To protect our users, we can't process your request right now.

We'll restore your access as quickly as possible, so try again soon. In the meantime, if you suspect that your computer or network has been infected, you might want to run a virus checker or spyware remover to make sure that your systems are free of viruses and other spurious software.

We apologize for the inconvenience, and hope we'll see you again on Google.
​

Q1. This is the easy question. Since Google doesn't like searches without Java and Javascript I am thinking that perhaps I can turn off Java but leave Javascript on. Can Javascript determine your local IP address via a "getip" function and send it back home to the website? If so, then I can still use Google anonymously without much more effort.

Q2. This is the tough question. Real tough. But it is critically important. Yes, Java ALLOWS a website to send back the local ip address, and even via traceroute get the ip address your ISP assigned you, but does the google code actually do this? I right clicked on a google search and got functions like "return qs(this)". But is there actually a Java function that Google is really using that sends ip addresses back? Does Google actually load up embedded Java code in its webpages that does this? It shouldn't take someone more than five minutes of looking at a search result source code to find the answer to this Q, but I don't know Javascript well enough to know myself.

John Horner

 

Scroogle

Cheers,

Alphalutra1

 

I search Google with both Java and JS disabled and cookies blocked. Google-ads, syndication, analytics and a few others filtered out by Proxomitron.
I use Mozilla, now called Sea Monkey, with the Dictionary Search extension. Versions of this extension are available for both Mozilla and FF. It accepts up to 4 different online dictionaries. Instead of linking to an online dictionary, use these entries:
For Google web search:

Code:

Google web search for "$"
http://www.google.com/search?as_q=$&num=100&hl=en&btnG=Google+Search&as_epq=&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_nlo=&as_nhi=&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=off

For Google image search:

Code:

Google image search for "$"
http://images.google.com/images?as_q=$&svnum=20&hl=en&output=images&btnG=Google+Search&as_epq=&as_oq=&as_eq=&as_filetype=&as_sitesearch=&safe=off

Both can be edited to match your preferences. They work with JS, Java and cookies blocked.
Rick

 

Customize Google

 

You can block this tactic with a software firewall by ensuring that your browser is only allowed to connect to Privoxy (or Proxomitron if you are using that first).

This is a known issue and is down to Google misinterpreting the traffic from major Tor exit nodes as an attack. You can either change identity (if you are using Vidalia) or use another search engine (Scroogle has been suggested but Clusty is worth checking out - it often returns more results than Google). If you are using Proxomitron, there is a Google-Scroogle redirector that diverts you to Scroogle (copying across your search terms) if it detects blocking by Google. It does require an update which I have been working on - but I can only test the filter when I encounter this symptom myself which is rather rare.

I have never allowed Java or Javascript with Google and, aside from the occasional blocking above (which is unrelated to page content) I have never encountered a problem.

Google uses lots of Javascript but no Java that I can see (hint: to check for Java on a webpage, simply use the View Source option of your browser and search for "<APPLET " - this tag is required to include Java on a page). You should also notice a slight delay in Java-using webpages since they need to start the Java Runtime Environment.

 

Hello,
I use Google with JS turned off + CustomizeGoogle extension. Never had any problems. Except the single twilight zone issue that lasted about 10 hours and affected FF and Opera.
Mrk

 

Scroogle is good, but I had stopped using it when I noticed that it returned results totally different from direct results. I just tested google again and it appears they stopped feeding scroogle crap results, and scroogle seemed identical. So thanks for your comment after all.

John

 

Dear Herbalist,

Thanks for this suggestion. It took me a while to figure out what you are doing but after a while I got it. Basically, the plugin lets you by pass Google's anti-anonymity (tor ip blacklist) filter. I will be testing it and hope to report back my findings. Thanks for the idea.

John

 

The premise that this does any good is that cookies are only the tool used by Google to determine your identity. And it is false. I already use temp cookies for google. Ip addresses are linked up to cookies when possible, but googleanalytics could easily be sending your real ipaddress back to Google. The code to tie the two together is not hard to write.

You see, contrary to what I thought, JavaSCRIPT alone can be used to phone home your real ip address by constructing long webbeacon url on their server that contains your local ip address and then parsing the log file. Read here, section 2.3 in particular. That is my I asked question #2 of my post. Is Google actually running this sort of code?

John

 

Paranoid2000- I checked out Clusty and it looks promising, even as my default search engine on IE7. Anything you could tell me about Clusty that may not be obvious on the surface? I see they claim not to track internet surfers or collect personally identifiable information but they claim to collect aggregate info. and seem to collect user information with consent. And the consent is implied from use of the search engine. Their privacy policy seems a bit circular. Could you throw in your opinion of Clusty?

Thanks.

 

Google Analytics could only determine your real address if you were excluding https: traffic from being routed via Tor.

In that example, Javascript was being used within a messaging system to trigger a standard web request. It would not reveal the real address of someone using Tor or any other proxy.

I've not looked at their privacy policy - as long as cookies are blocked and a proxy used, they get no personally identifiable data to collect in the first place. However they don't appear to gather data from other sources (like Google does via its AdSense and Analytics programs) so even without such protection, they are still less of a Big Brother than Google is currently.

 

See also

http://search.vivisimo.com/

http://vivisimo.com/html/about

I've been using them for ages. They also have a Firefox plugin!

 

Does this make it clearer?
http://i138.photobucket.com/albums/q277/herbalist-rick/dictsearchwGoogle.gif
Google supplied most of it themselves! If you want to customize it for your own search preferences, first get rid of all google cookies. On the web search, click on "advanced search", then set all your preferences. Leave the actual search entry blank then click "search". This will take you back to their main page. Copy everything in the address bar. It'll look like this:

Code:

http://www.google.com/webhp?as_q=&hl=en&num=100&btnG=Google+Search&as_epq=&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_nlo=&as_nhi=&as_occt=any&as_dt=i&as_sitesearch=&as_rights=&safe=off

Edit this section:
webhp?as_q=
to
search?as_q=$
Leave the rest as is. It's your saved preferences. The "$" is necessary to work with the text line entry:
Google web search for "$"

It's basically the same procedure for image searches. Just start on the image search page and go to "advanced search".
Depending on what else you'd use the dictionary search extension for, you could set up multiple search preferences this way. I haven't tried this with other search engines but some variation of the idea should work with many of them.
After you get everything set up, delete and block all their cookies. If you want, block Java and JS, either for Google sites or overall, which ever you prefer.
Let me know how it works for you.
Rick

 

The disadvantage of doing this is that that browser is forever forced to use tor. Tor is so insanely slow that this is not ideal. Why exactly is it necessary to do this? Is it because of potential leaky plug ins? Outpost4 logs didn't show any leaks, though it would really help if these logs were packet based instead of channel based. Perhaps I am confused, but PG2 shows network activity per packet. I can't get Outpost4 to do this. Instead, it only shows NEW connection channels. Opening up a web page while already running tor causes no external network activity according to Outpost4.)

Wow. I really respected you Paranoid2000. But this "issue" is something Google clearly intentionally programmed using a tor blacklist like that on http://www.jungsonnstudios.com/blog/?i=47&bin=101111. The notion that a 1-30kB/s tor connection with latency so bad that it takes me 5-30 seconds per page could be taxing Google is a bit far-fetched to me. When they suggest that you have a virus or malware they are flat out lying, since a botted computer is already as anonymous as you can get. (Besides, a botted computer would NEVER use tor, which even a dolt of a user is likely to notice if it is running.) Are you so gullible to think that Google isn't evil? I doubt it. Their motto is to cover up this fact. Google LIED by giving this bogus response if they can't detect your ip (you are using Tor AND turn off javascript).

Well we are doing something different then, as I get this error about 30% of the time. Try using the User Agent plugin? I think that might increase the chance. (It is a super weak version of Proxomitron.) I checked your url but saw no download to click on.

Thanks, that answers Q#2. I am still not convinced that Javascript can't get the local up address and embed a url like http:\\googledataipcollectionservice.com\users\mylocalipaddressis-111.222.222.333.jpg.

I will have to do more research.

In the meantime, turning off Java and JavaScript really messes up Firefox. The correct solution is to modify JAVA so that you can trick the or nuke or at least be alerted when a program is using the ?InetAddress.getLocalHost()? function. Any comments about doing that, anyone?

John

 

If you wish to disable Tor and connect directly, then just change the firewall rule to allow a direct connection. Since you mention Outpost, I'll point to the rules suggested here - with these, allowing your browser direct access again is a simple case of enabling one rule (and remembering to disable it afterwards).

I would class this as more a precaution than a necessity. It ensures continued anonymity, even if an exploit was discovered that could cause a browser to connect directly.

Which is as it should be - the page request and response will be sent using the existing (encrypted) Tor connection.

If that was the case, then you would not be able to access Google at all with Tor. The reality is that only a few exit nodes are blocked - switching identities (if you have Vidalia) or just waiting for your Tor client to change connection (it does this every 10 minutes by default) will fix the issue.

BTW that blacklist example is just a hard-coded list of IP addresses - there are better ways to detect a Tor node.

You aren't the only person using Tor - there are hundreds of thousands of others and the main exit nodes are responsible for 2MB/s of traffic or more.

Perhaps this sequence of events may explain things more easily:

• Google gets attacked a lot by bots (e.g. spammers scraping email addresses or text to add to their spam to confuse filters).
• Google tries to counter this by applying a block on addresses that send more that a certain level of queries. Any reaching this receive a standard webpage warning instead.
• Major Tor exit nodes that handle traffic for thousands of users reach this threshold.
• Tor users doing a Google search via that exit node get to see this webpage instead of their search results.

Google doesn't know (or care) that you are using Tor, they have just flagged that address as a source of excessive requests and blocked it with a standard warning page - there's nothing malicious or "evil" about it and it is quite easy to work around. This is documented on the Tor Wiki.

Tor would actually be a useful communications channel for malware so it is very likely that we will see something using (or abusing) it in the future if there isn't something out there already - if a user doesn't notice a bot running, odds on they wouldn't notice a Tor client either.

There is nothing "evil" or "deceptive" about this, it is a standard warning page which you would encounter with any proxy shared by enough people (unless Google were made aware of it and chose to increase their threshold for that address).

The block set by Google is based on IP address, not user agent - that plugin will have no effect whatsoever.

That is because it is a Proxomitron filter which you copy and paste into your existing configuration - see the Proxomitron help for more details.

If you have a router, then your local address is most likely in the 192.168.x.x range which would be of no use to any data collection service since everyone else with a router will have a similar address (that address range is allocated for use by private networks and is therefore a popular choice with routers using Network Address Translation for connection sharing). In such a case, your "unique" IP address (the one assigned by your ISP) will only be visible to sites you connect to directly.

Can't be done reliably. The reason is that Javascript is too complex a language to filter - a malicious website can use dozens of methods of obfuscating its Javascript code so no text-based filtering on webpages can be relied upon with Javascript enabled. Disabling Java and Javascript by default (and enabling them only on sites you decide to trust) is the only effective method.

 

Paranoid Dude, you make some great points. And I am a newbee here. But you are smoking something good, cause you just admitted that the main reason for these blocks is due to # google queries/ time limits, not because of malware. You can't have it both ways. I have to agree with the initial poster, google is being deceptive here. They are cleverly twisting the facts and sidestepping the beef of the issue instead of just saying "dude, you are pounding our servers. Lay off already," which is clearly what is happening when someone decides to parse a server-side query to their clients without mr. brin and page getting a piece of the pie or be a tor server.

 

Read the Wiki on this please - it's a standard warning page. Google have no way of knowing in advance if an address is being shared or not (as Tor nodes are) so that is why you may see the warning even if no malware is on your system.

 

Chicken and Paranoid2000,

You are both only partially right. Paranoid2000 is right in taking the official line concerning Google because there was at least one actual worm that would mine Google for email addresses called MyDoom (one variant at least).

But Paranoid2000 (and the wiki he references) is also wrong. The reason is because the wiki implies that Google doesn't have the ability to have a tor whitelist, like that discussed above. The fact is that Google already has such whitelists for their partners and it would be trivial to dynamically add the tor exit nodes onto their existing whitelist database. Google and the tor team are playing dumb concerning tor. I don't know if they have unused bandwidth or, more likely, they have people researching tor, but the fact is that some of the tor exit nodes are actually google servers!!!

John

 

Hi,

Actually, if an entity manages to use a scripting language like javascript, activex and so on to gather info from you BEHIND a router then it's still possible to discover your real ip. All they need to do is give you a unique code and ping or deliver some packet to one of their machines and it'll automatically contain your real ip address as the source.

As said earlier in this thread; disable stuff like java, javascript and so on and only use it for sites you can trust/need.

Greetz,

Falco

 

This cannot be done without running an external program (e.g. ping, tracert or something else). As discussed above, this can be done via ActiveX or Java but cannot be done using Javascript alone (though Javascript could be used to obfuscate ActiveX/Java calls).