A VPN Question

So, if I use a VPN services, like say, xerobank, all of my connections are protected (my ip can't be revealed). So, why would I be concerned about javascript? Absent the VPN service revealing my identity, no one can id me, right?

 

You don't have to worry about Java or javascript with Xerobank. Just with Tor, proxies and some of the other services.

 

Javascript works at browser level, no proxy can protect you against malicious javascript executing on your browser, you will have to disable this manually.

One problem is that many websites do not work without javascript enabled, there is some Firefox plugin that lets you choose what sites can use javascript and which ones can't (as well as Java and flash).

NoScript Firefox extension :
http://noscript.net/

 

As Steve mentioned in another post, using Xerobank's xb Browser disables any plugins (javascript included) which may capture you IP address.

 

However, if you’re using xB VPN, there is no concern about Java or JavaScript revealing a user’s true IP address, regardless of which browser is employed.

 

Javascript can be used for profiling user (display resolution, clipboard content, detect addon, installed software, window status, etc.)

 

That's only necessary if you are using the free version, which connects to Tor....and *NOT* the Xerobank network.

When you are connected with Xerobank's VPN, you can use all of the flash, java, and javascript you want. There is no chance of exposure.

 

Is that really important?

 

Yes, it's important for

state separation
defeat correlation of anonymous activity and non-anonymous activity
avoid partition attack

In other words to not compromise anonymity (with VPN also)

 

Javascript can be used to create a "fingerprint" of your computer. While the owner of the fingerprint is anonymous, it can be tracked each time you visit a target website. However, it is unlikely you have an adversary that is employing this tracking technique, and if you do, you are likely aware of it and using additional obfuscation techniques. One problem with this method is that there are many many people using the same non-unique identifiers, such as useragent, timezone/time, language, keyboard layout, screen resolution, installed plugins. So these things are generic for the most part, but any slight tweak or alteration makes the fingerprint worthless. So if you change your useragent using xB Browser, that will help. Obfuscating those things is just as much a fingerprint data as sending the right ones. So you want to send them, you just want them to be variable within a normal set.

 

exactly This is what I meant from what I said in the other thread "by matching the information about your pc that javascript sends"
https://www.wilderssecurity.com/showthread.php?t=245596&page=2
but steve has used the word fingerprint to describe it.

That said I haven't had much time to play around with it yet but I have found that by using Proxomitron on http://browserspy.dk that Proxomitron seems to be able to block javascript from sending all this information while javascript is enabled.

 

Modifying layer-7 data such as javascript is highly invasive, and requires Deep Packet Inspection. If I was a proxomitron user would be very upset to find out that my proxy provider was sniffing all my traffic and rewriting it.

 

for give my lack of knowledge but are you saying that a hardware firewall with deep packet inspection can achieve this? and that it is better to use a hardware firewall with deep packet inspection?

what do you mean by this?

 

If proxomitron is running on your local system, no issue, if you are using someone else's proxomitron server, i would watch out.

 

SteveTX whats your Opinion on this?? posted on a NZ forum from some one who works at telstra ISP. With this Caching this in some ways would be the same as monitoring and logging?? because every website people visit gets stored on the Caching server. would they be doing deep packet inspection along with this Caching?? also too I see a high possibility for the Caching server to be "man in the middle" for ssl https when logging into secure websites. ??

 

Telstra's network is an absolute mess, and the Oceania internet infrastructure is comparable to any 3rd world country. Telstra users have their monthly internet transfers capped at like 500mb ~ 3000mb/month, and live in 500ms of latency from the rest of the world, which is possible to have caused "race conditions" of traffic. To avoid this terrible implementation of caching, the user should tunnel outside of Telstra's peering domain, and route DNS requests through the tunnel as well.

 

While using Iphantom a long time ago, I use to get this text that would show up when I went to a website that would say "Bad User Agent". Do you know what that would have meant?

 

Don't know, but I would imagine that a website was programmed to serve a limited set of browsers, and the iphantom delivered its own useragent (strange), and got you flagged.

 

They did have an option that you could check that was suppose to strip away a website's ability to see things about your browser and stuff. I will have to go take a look and see. Maybe that is what it was. I will report back. If it works, maybe it is something that could be incorporated into cryptorouter.

 

This Iphantom is from 2005 or 2006 so I don't know if tests like these would have given different results then as ooposed to now....or not. But here is what I got:

I checked "block user agent" in Iphantom. Here is what I got at browserSpy.

http://i28.tinypic.com/34dif0z.jpg

Here is what it gives me unchecked:

http://i28.tinypic.com/10hj6dt.jpg

Here is what the configure page looks like:

http://i32.tinypic.com/o7twzt.jpg