Accepting cookies may expose local IP through TOR/VPN?

Discussion in 'privacy problems' started by Resina, Jul 30, 2012.

Thread Status:
Not open for further replies.
  1. Resina

    Resina Registered Member

    Jul 30, 2012
    Recently started using the anonymzing tool TOR. It operates not unlike a VPN service, just more nodes between user and target server.

    The TOR team states, on their site, that one should use HTTPS whenever possible to increase anonymity and encryption of transferred data. However, most sites and email services that requires login, also requires a session cookie to be sent and stored on my local computer.

    My issue is however cookies (session ones or not) can reveal my local IP to the server, whose session cookie I need to accept (to be logged in)? If so, this would constitute an anonymity problem – even through a VPN or TOR.

    TOR erases all cookies when shut down, so the cookies won’t be stored past the session. But just having something on my local system that interacts quite directly with the target server, makes me think twice about accepting cookies.

    Anyone care to shed some light on this matter?
    Thanks in advance
    Last edited: Jul 30, 2012
  2. EncryptedBytes

    EncryptedBytes Registered Member

    Feb 20, 2011
    I say you would run the risk of being tracked if you use tor inside your native browser such as "Torbutton". The danger would be you would receive cookies while piping your traffic through the Tor network, and then in plaintext once Tor was disabled, meaning any cookies left after your tor session could in theory then associate you with the websites you visited in Tor. Not to mention you are also leaking browser user agent And capability information as well.

    If you use an isolated browser such as the Tor browser bundle, this shouldnt be a huge concern as cookies are cleared after each session. And the browser is designed by default to pipe all traffic through the network your local IP should not be leaked. Remember Tor is for anonymity not privacy, if you are using tor to visit accounts already associated with your real identity a VPN may be a more viable option to consider.
  3. mirimir

    mirimir Registered Member

    Oct 1, 2011
    Use Tails.
Thread Status:
Not open for further replies.