can cookies/javascript reveal real ip on tor?

Discussion in 'privacy problems' started by stevemajster, Mar 30, 2013.

Thread Status:
Not open for further replies.
  1. stevemajster

    stevemajster Registered Member

    Joined:
    Feb 26, 2013
    Posts:
    3
    I am using TOR. Most sites and email services that requires login, also requires a session cookie to be sent and stored on my local computer.

    My issue is cookies can reveal my real IP to the server?

    Also on the some sites we must enable javascript (not JAVA) to site working corectly. Is enable javascript can reveal our real ip adress?
     
    Last edited: Mar 30, 2013
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,021
    Are you using one of the setups with Tor-modified Firefox, such as TBB, Tails or Whonix? If you're not, there may be vulnerabilities that are at least mitigated by those setups.

    If a cookie persists from Tor use to non-Tor use, and you access the same site (or others that can read third-party cookies), it's possible to correlate Tor exit IPs with real ISP-assigned IPs.

    Tor-modified Firefox prevents that. Also, using other browsers distinguishes you from other Tor users, and reduces anonymity.

    Tor-modified Firefox includes NoScript, but doesn't block scripts by default. See -https://www.torproject.org/docs/faq.html.en. You can change to blocking by default, and allowing for particular sites. But doing that distinguishes you from other Tor users, and reduces anonymity.
     
  3. stevemajster

    stevemajster Registered Member

    Joined:
    Feb 26, 2013
    Posts:
    3
    Yes i Am using Tor-modified Firefox.

    "Tor-modified Firefox includes NoScript"
    I dont disable noscript. It is always enable.
    But some sites request javascript. And I enable javascript in torfirefox setting (not in noscript option).

    If i dont enable it site doesnt run. For example, site menu doesnt works.

    So it can reduce anonymity to reveal real ip adress?
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,021
    It's possible, but very unlikely. The Tor Project's choices -- leave Javascript enabled in both Firefox and in NoScript -- speak for themselves.

    Some time ago, I believe that Javascript was disabled by default. But people just enabled it, because many websites won't work without it. And that reduces anonymity, especially when each user allows some scripts on some sites, but not others.

    It's my impression that potential deanonymization via Javascript exploit has been judged better than certain deanonymization via Javascript tweaking.
     
  5. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I do not think it is possible. The cookies can track your activity across different sites though, and that's why you need to be aware or disable them when possible.

    I tend to disable javascript when using TOR for the same reasons I mentioned above (tracking), but I didn't see an actual piece of javascript code that can reveal your IP.
     
Loading...
Thread Status:
Not open for further replies.