Cookies, flash & Java see REAL IP thru VPN?

Discussion in 'privacy problems' started by TheCatMan, Oct 6, 2013.

Thread Status:
Not open for further replies.
  1. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Hi bit of a newbie question here, I have heard many folk on the net suggest its best to disable flash when surfing since there is always a risk adobe or another 3rd party could see your REAL ip address, even if you used a VPN service.

    I have also heard if one logs into there email account, online banking, even with skype and with a VPN on, this again can reveal your true IP address.

    But how do they do this and is it as bad as it sounds and should I worry ?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    That's a complicated question. I'll start with cookies. Let's say that you're browsing while connected to your VPN, and some website sets a cookie, or maybe a third-party cookie. And let's say that you're using the same browser later, after disconnecting the VPN. If you haven't deleted those cookies, and you browse a site that owns one of them, the site could correlate your real and VPN IP addresses.

    Any document that can call resources from the Internet, such as PDFs and Word documents, can accomplish the same result. It doesn't matter whether you download it with the VPN or without. It's just that it can "call home" whenever you open it. But you can lock that stuff down in the apps that you're using. Flash and Shockwave are more aggressive about making Internet calls, but they won't leak if the VPN connection is properly routed and firewalled.

    All bets are off with Java and Javascript vulnerabilities. First, there's little reason to have Java enabled in your browser, even if you need JRE for Java apps. Even with Countermail, for example, you only need Java enabled in your browser for setting up an account.

    Most of the Web is unusable without Javascript. But using NoScript and AdBlock Plus, and allowing just enough to see what you want, is fairly safe. However, if you get hit through a vulnerability, there's not much hope.

    Even so, if a machine doesn't know its true IP address, it can't reveal it. That's why it's prudent to segregate/compartmentalize apps from networking. Whonix does that for Tor. That's why I keep pushing pfSense VMs.

    Anyway, that's enough for now, no?
     
  3. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    thanks mirimir as always :)

    Yeah I have always left java on, just figured I need it for logging in and on bank sites, and emails etc, I don't play those web games though etc

    I will try it with java disabled.

    I use to run Noscript but found it frustrating I leave adblock plus on, even minor things like ordering something off paypal or ebay or wondering why an icon or box would not load on some random site so left it off my to do list lol Do you feel its best to keep it?

    I agree to compartmentalize everything, running virtual box and os or linux or whonix, at least your spreading your level of use, I still gotta start doing that properly.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    De nada :)

    Are you sure that you mean Java? On Linux, at least, Java isn't even installed by default. And, even if you install JRE, it won't be enabled on your browser unless you specifically do that after installation.

    I suspect that you're thinking of Javascript. They're totally unrelated, except through their names, and that was a dumb move.

    It's safest to use both NoScript and Adblock Plus, and only allow the scripts that you need on the sites that you need them on. It does reduce your anonymity. But if you want to be anonymous, just use Tails in read-only mode, and don't access sites that require Javascript ;)

    Good :) "Be prepared!" as they say :)
     
  5. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    I checked in addons manager under firefox under plugins on win7 and I saw java platform se and java deployment kit enabled, so disabled them both ?

    must have installed it, anyhow does not seem to effect browsing sites yet!

    Yeah may need to look back into no scrip addon..... although not looking forward to adding and whitelist and blacklist and issues again ;)

    always sound advise as always, thx.
     
  6. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I don't have Java installed on my computer. As far as I know I have no need for it.

    I use Sandboxie with all of my browsers and I delete the sandbox after each use, so there is no chance of a cookie persisting.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    There are cool things that use Java:

    • Freenet
    • I2P
    • Countermail
    • various cross-platform apps written by lazy people ;)

    Tahoe-LAFS, at least, uses Python ;)
     
  8. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Thanks. So far it doesn't look like I need it. But if I ever do I guess I'll just have to install it. I have heard that I2P is pretty cool but I have nrvrt tried it.

    I did try Freenet a long time ago but I couldn't figure out how to see anything there. The other thing too is I am afraid of having other people's stuff stored on my computer. That gives me the creeps. So I am a little afraid of freenet.
     
  9. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Would running VPN + VM solve the problem? Or should we now also run VPN + VM + VPN?
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes, running a VPN in the host and using a VM for browsing would protect you. You'd be vulnerable to exploits that can break out of the VM. But it's my impression that such exploits are still rare, and would presumably be reserved for high-value targets.

    Running a second VPN on the VM, so it tunnels through the VPN running on the host, improves your anonymity somewhat. Adding Tor to the mix would increase your anonymity a lot. For example, you could run a VPN on the host, plus the Whonix Tor gateway and workstation VMs. Using the Whonix workstation VM, you'd be browsing with Tor tunneled through the host VPN.

    You could also run another Linux VM, which is running a second VPN. That way, you could do somewhat-private work on the Linux VM, and very-private work on the Whonix workstation VM. However, you would need to have all VMs shut down, and also shut down the VPN running on the host, in order to do non-private work using your true name. While you could do that through the host VPN, with the VMs running, it would reduce the anonymity provided by the VPN->VPN chain.
     
  11. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25

    Excelent thread.

    I don't know how to set a VM, so I'm using Comodo Virtual Kiosk. Is it ok?

    In a VM, cookies, java , flash, does not know your real IP? Or I have to reset Kiosk every time I leave?

    I running a VPN in my notebook, set automaticaly for a software, PIA manager. Running Kiosk (VM?) and then running TOR, it will go inside the VPN tunnel? Is it a good way for privacy?

    Thanks in advance guys.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I don't know Comodo Virtual Kiosk.

    Generally, when you're running a VPN and Tor together on a machine, Tor will tunnel through the VPN. But it's best to use Tor Browser Bundle, because its version of Firefox is tweaked to improve anonymity, and browser connections outside Tor are blocked.

    The best way to easily use Tor is running VirtualBox and Whonix. If you're running a VPN on the host, the Whonix gateway connects through it. Whonix is well locked down, so you can use just about any TCP-based app on it without leaks.
     
  13. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    you can achieve what you want by using sandboxie (paid version preferably).
    create two separate sandboxes. use on for vpn surfing and create a dedicated web browser shortcut for that sandbox on desktop, set sandbox content to be deleted on exit. force everything run in that sandbox and restrict internet connection for everything except desired software.

    create one more sandbox for your regular connection and set it as you please.

    that's it (well roughly).
     
  14. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    Thanks IMDB, I'll try it, but I'm just learning many stuff here, it will take sometime in order I can accomplish your sugestion.:thumb:
     
  15. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25

    Thanks Mirimir. I have already created a VM with VB and I will try whonix. I am reading your guides, congratulations, very good.

    Actually, I guess I only need a good, trusted and reliable VPN. But now I got an itchy and I think I have a new hobby by now...lets see what I can achieve in the near future...it is a learning curve...

    Thanks to you all

    Cheers
     
  16. RollingThunder

    RollingThunder Registered Member

    Joined:
    Nov 21, 2013
    Posts:
    187
    Location:
    https://www.eff.org/issues/anonymity
    Mirimir:

    Can you please explain your comments on pfsense VPN? Honestly, I have never heard of pfsense.

    Thank you ...

     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    pfSense is an open-source router/firewall OS that's based on FreeBSD. It includes many features that are otherwise readily available only on very expensive equipment for enterprise use. And there are versions for just about any hardware.

    For one's primary Internet connection, it's prudent to have at least a NAT router/firewall between the modem and LAN. There may be an integrated box, but all of the components should be there.

    pfSense VMs serve the same function as VPN clients. Each pfSense VM hosts a virtual LAN (a VirtualBox internal network). That virtual LAN is isolated from the VPN tunnel just as the primary LAN is isolated from the Internet. Incoming traffic from the VPN tunnel is blocked, just as incoming traffic from the Internet is blocked by the primary LAN router/firewall.

    Separating the router/firewall from the workspace in separate VMs also protects against successful exploits on the workspace. Even if they hose the workspace, they can't (unless they're very capable) mess with the router/firewall and learn the Internet gateway IP address that the router/firewall WAN can see.

    I've recently found that pfSense VMs also make good Tor gateways. But I haven't yet learned how to lock them down well enough to rely on. Whonix is my standard :)
     
  18. RollingThunder

    RollingThunder Registered Member

    Joined:
    Nov 21, 2013
    Posts:
    187
    Location:
    https://www.eff.org/issues/anonymity
    Thanks for that.

     
Loading...
Thread Status:
Not open for further replies.