A VPN Question

Discussion in 'privacy technology' started by overland, Jun 30, 2009.

Thread Status:
Not open for further replies.
  1. overland

    overland Registered Member

    Joined:
    Jun 30, 2009
    Posts:
    5
    So, if I use a VPN services, like say, xerobank, all of my connections are protected (my ip can't be revealed). So, why would I be concerned about javascript? Absent the VPN service revealing my identity, no one can id me, right?
     
  2. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    You don't have to worry about Java or javascript with Xerobank. Just with Tor, proxies and some of the other services.
     
  3. box750

    box750 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    260
    Javascript works at browser level, no proxy can protect you against malicious javascript executing on your browser, you will have to disable this manually.

    One problem is that many websites do not work without javascript enabled, there is some Firefox plugin that lets you choose what sites can use javascript and which ones can't (as well as Java and flash).

    NoScript Firefox extension :
    http://noscript.net/
     
  4. vondiggidy

    vondiggidy Registered Member

    Joined:
    Jun 28, 2009
    Posts:
    8
    As Steve mentioned in another post, using Xerobank's xb Browser disables any plugins (javascript included) which may capture you IP address.
     
  5. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    However, if you’re using xB VPN, there is no concern about Java or JavaScript revealing a user’s true IP address, regardless of which browser is employed.
     
  6. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Javascript can be used for profiling user (display resolution, clipboard content, detect addon, installed software, window status, etc.)
     
  7. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    That's only necessary if you are using the free version, which connects to Tor....and *NOT* the Xerobank network.

    When you are connected with Xerobank's VPN, you can use all of the flash, java, and javascript you want. There is no chance of exposure.
     
  8. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Is that really important?
     
  9. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Yes, it's important for

    state separation
    defeat correlation of anonymous activity and non-anonymous activity
    avoid partition attack

    In other words to not compromise anonymity (with VPN also)

    :)
     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Javascript can be used to create a "fingerprint" of your computer. While the owner of the fingerprint is anonymous, it can be tracked each time you visit a target website. However, it is unlikely you have an adversary that is employing this tracking technique, and if you do, you are likely aware of it and using additional obfuscation techniques. One problem with this method is that there are many many people using the same non-unique identifiers, such as useragent, timezone/time, language, keyboard layout, screen resolution, installed plugins. So these things are generic for the most part, but any slight tweak or alteration makes the fingerprint worthless. So if you change your useragent using xB Browser, that will help. Obfuscating those things is just as much a fingerprint data as sending the right ones. So you want to send them, you just want them to be variable within a normal set.
     
  11. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    exactly This is what I meant from what I said in the other thread "by matching the information about your pc that javascript sends"
    https://www.wilderssecurity.com/showthread.php?t=245596&page=2
    but steve has used the word fingerprint to describe it.

    That said I haven't had much time to play around with it yet but I have found that by using Proxomitron on http://browserspy.dk that Proxomitron seems to be able to block javascript from sending all this information while javascript is enabled.
     
  12. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Modifying layer-7 data such as javascript is highly invasive, and requires Deep Packet Inspection. If I was a proxomitron user would be very upset to find out that my proxy provider was sniffing all my traffic and rewriting it.
     
  13. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    for give my lack of knowledge but are you saying that a hardware firewall with deep packet inspection can achieve this? and that it is better to use a hardware firewall with deep packet inspection?


    what do you mean by this?
     
  14. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    If proxomitron is running on your local system, no issue, if you are using someone else's proxomitron server, i would watch out.
     
  15. axle00

    axle00 Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    92
     
  16. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    SteveTX whats your Opinion on this?? posted on a NZ forum from some one who works at telstra ISP. With this Caching this in some ways would be the same as monitoring and logging?? because every website people visit gets stored on the Caching server. would they be doing deep packet inspection along with this Caching?? also too I see a high possibility for the Caching server to be "man in the middle" for ssl https when logging into secure websites. ??

     
  17. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Telstra's network is an absolute mess, and the Oceania internet infrastructure is comparable to any 3rd world country. Telstra users have their monthly internet transfers capped at like 500mb ~ 3000mb/month, and live in 500ms of latency from the rest of the world, which is possible to have caused "race conditions" of traffic. To avoid this terrible implementation of caching, the user should tunnel outside of Telstra's peering domain, and route DNS requests through the tunnel as well.
     
  18. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    While using Iphantom a long time ago, I use to get this text that would show up when I went to a website that would say "Bad User Agent". Do you know what that would have meant?
     
  19. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Don't know, but I would imagine that a website was programmed to serve a limited set of browsers, and the iphantom delivered its own useragent (strange), and got you flagged.
     
  20. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    They did have an option that you could check that was suppose to strip away a website's ability to see things about your browser and stuff. I will have to go take a look and see. Maybe that is what it was. I will report back. If it works, maybe it is something that could be incorporated into cryptorouter.
     
  21. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
Loading...
Thread Status:
Not open for further replies.