How can I test if my browsing is anonymous?

that I know if It Probably is the best with the right rule set. unless you want to install and Pay for VM. But then again if I can create a rule set with MD to Properly Isolate the browser from the OS some people would find it easier to just upload the rules to their MD.

I have only tried Proxomitron with a rule set once or twice but I had problems loading google for reason. I am still using admuncher atm. I am just waiting for Steves Deanonymizer to arrive then I will be getting back into this browser issue.

 

Has any one tried this Random user agent on FF 3.5 ? for some reason as you can see I can't select the options button. I can't get it to work.

 

I have never even heard of it. But it sounds interesting. I don't have enough knowledge yet to do much configuring on my own.

 

What JavaScript function reveals IP address? I thought that JavaScript is sandboxed. Or what are the methods to find real IP from JavaScript?

 

Yes, using tor will slow your speed, so you'll have to make some compromises for privacy.

 

Actually you can create a fully anonymous identity and while surfing with that identity don't provide any real info about yourself. You can install an alternative browser for that identity, disable all scripts, configure it to use TOR or something similar and use it only for anonymous browsing.

 

While your ISP knows who you are?

 

And how this can compromise your identity if you're using an anonymous encrypted tool, like tor?

 

That depends on what I'm trying to achieve in as much what I'm doing is important enough for somebody or someone to establish who and where I'm. For everyday internet use there is no need for anonymous tools except to earn money for businesses who play on peoples fears

 

Hi ResoMail,

I use a Firefox add-on, Show MyIP, which displays the ip address of my router. The code in JavaScript is the function called aktivieren unique to Show MyIP which can be viewed by unzipping the tsql.jar file in the chrome directory of the Firefox profile extensions directory.

The method it uses is a request to: http://www.tsql.de/download/addon/ip-adresse.php which if you paste into your browser's address/location bar and click on the green arrow will reveal your ip address in the browser window/tab.

Note: If you are using Tor, then it should return the exit node's ip address after 3 hops and not your local ip address - if Tor is configured and working properly (i.e. not been compromised).

-- Tom

 

If I ever want to visit a site without showing the IP my ISP has currently allocated me , I use something like this.

http://anonymouse.org/anonwww.html

 

Plug this link into it.

http://www.frostjedi.com/terra/scripts/ip_unmasker.php

 

Thank you, but what you showed doesn't reveal your real IP address. Actually I was afraid that since JavaScript executes on client side it somehow can have access to local client data. (I know that it is sandboxed and it shouldn't have access to local data)

 

The last link on that page shows my true IP on the 4 anonymous web proxies I just tried it on. It's good to see an actual example of this occurring. Doesnt' work when scripts are turned off, but you'd expect that.

What I would like to see now is a script based example which shows your real IP when using tor (with scripts enabled), or maybe a VPN. None of those scripts are successful with tor or the VPN service I just tried.

Also of interest is this lnk http://www.phpbb.com/community/viewtopic.php?f=70&t=1174765
It's coding for websites to expose a persons's real IP if a proxy is used when a person connects.

 

The link that I posted was posted here about 2 years ago and it use to work with tor. But I guess the Tor project fixed it.

But evidently Steve and Kyle at Xerobank are opening a website on Aug 1st that will deanonymize a lot of proxies, Tor, and maybe some VPN's as well.

 

Hi ResoMail,

If you use the Show MyIP Firefox add-on without using a proxy, it certainly does show your real ip address. It, of course, does not seek to have access to local client data.

-- Tom

 

Thanks for this link.

by testing with a proxy with javaScript enabled and javaScript Disabled. It proves that JavaScript DOES INDEED reveal your real IP address.

whats this about Show IP add on? is it meant to prevent javascript from showing your real IP?

 

ShowIP shows the destination website's ip address, not your ip address. NoScript only has a check box to prevent Java, while Firefox has a check box to disable JavaScript.

Show MyIP is meant to show your ip address when not used with a proxy, but if used with a proxy like Tor should be routed to the exit node's ip address that is reported as the ip address.

Note: when Torbutton is enabled, ShowIP shows the name of the destination website, not the numbered ip address.

-- Tom

 

I'll bet you anything that it will not deanonymize Tor. It doesn't have to be a money bet.

I don't believe for a second that it will be done. I just wanted to go on the record as having said this when it fails to work.

Let me add that deanonymizing Tor and exploiting a browser or OS are two different things. Since I consider my system to be hardened, I'll be in a good position to judge it.

To me, a decentralized service like Tor will always be superior to a paid service. A paid service will always be centralized to some extent. With Tor, there is no single individual or entity that can expose a user. Yes, there are potential exploits, but the authorities of a country cannot threaten, pay, or cajole any one person/entity to expose a user. Perhaps Steve's character is beyond reproach, however, I've never known such a person to exist. Maybe he's the first. I couldn't tell you. But I think the operator of a paid service would have to have impossibly good character and judgment to really have unwavering faith in them. With Tor, these issues are far less important. Mitigating potential exploits are the limiting factor with Tor. But I trust it more than any service I've used. I have to say that I'm a little surprised (*cough* disappointed *cough*) more people haven't talked about the centralization issue in this thread. In my opinion, Tor provides the strongest anonymity of any service. I use it when I absolutely, positively have to be anonymous. It's drawback is it's relatively high latency (i.e. slow page loads), but it seems to have improved markedly recently. I use other, faster proxies when I want to be private but not necessarily anonymous. I still consider Tor to be the gold-standard.

There is another issue that many people don't seem to consider. One piece of information (e.g. your IP address) does not positively identify you. Someone else can be using your connection. It's the same with your credit card. Someone else could have used it. Two pieces of information (e.g. your IP address + your credit card or your IP address plus a username definitively tied to you) pretty much nails you. If you're trying to be anonymous, I would definitely take this into consideration. If you're just trying to gain some privacy, then it's not so important how you pay. If I'm trying to be anonymous, then I wouldn't pay with a credit card in my name or give any personal information that can be tied to me. At worst, the information someone has on you will be limited to your IP.

However, if Steve manages to deanonymize the Tor service I'm using right now, I will definitely sign up for his service instantly. That would be a feat that would definitely impress me, and I'm not easily impressed. I won't hold
my breath though.

p.s. I also want to add something about a general trend I've noticed. The people here seem to be as prone to manipulation as the general public. I really question the expertise on this forum based on the lack of critical thought I've seen with regard to proxies and anonymity. I have to wonder if it's due to all the advertisement here by certain unnamed individuals. The amount of critical thought has really degraded over the last couple years. The word "sheep" really does come to mind. I know I'm not an expert in this field, but I really feel like one when I read some of these comments. I strongly feel like we should be more critical of those with a clear financial motive to make certain posts. I'm not saying that they should not be believed but that they should be held accountable. I, for one, will be watching the Ultrasurf thread to see what all the hoopla was about. And, after all of that build-up, I had better be impressed.

As far as I can tell, no one responsible for the upcoming deanonymizer service has promised that it will work on Tor. But, if indeed that promise was made, I would definitely hold them accountable for that promise.

Let the flaming begin.

 

Himynamaborat, you may be interested to know that XeroBank is initiating steps to become more decentralized -- see XeroBank to Decentralize Trust.

P.S.: I agree that critical thought should always be present when assessing product claims.

 

What third parties precisely?

With Tor, we can independently verify that it is indeed decentralized because anyone can relay traffic. Now, undoubtedly, some exit nodes will be malicious, but that is why three nodes are used. I can verify this.

Can I have information on Xerobank's third parties? The blog states that it will still be broadband speeds and trusted peers. That's certainly not like Tor. That's not to say that this isn't a good development, but I'd like more details. Certainly, Xerobank would have to pay these third parties to provide this service. And I would presume that a new layer of encryption is added at each node, and that no one node knows both the origin and destination.

Let me add that I'm not being critical of Xerobank or Steve. I'm actually being critical of everyone else here and what seems like a Xerobank love-fest. Some of this stuff is nauseating to read, to be honest.

What I am critical of Steve for is some of the melodrama, and especially the unsubstantiated claims. Now, he may have proof of everything that he says. But I consider it bad form to start talking about your competition and then not back it up for months, if ever. This whole thing with Ultrasurf isn't the first time. I'm not going to rehash some of the stuff that happened more than a year ago, but suffice it to say, I expect the Ultrasurf news to be "jaw-dropping". And I'm expecting something I've never seen before from the deAnonymizer service. Both should be coming up within the week, and I'll make my judgments about Steve then.

 

borat,

good news. i think you will be impressed. also, be aware that tor is very different than other things. it isn't just a network, it is a software, it is a connection client, it is a server, and includes bundle software. That means it has a very large attack surface that is not limited to the network design. I'll give you one example, in 2007 there was an attack against tor via the browser. It used exploits across html to attack the control port. It successfully compromised all tor clients, including through the text-only lynx browser, through every version of tor. Was it a direct attack against tor? Not directly, but it leveraged what tor relied on, connectivity and applications, to cause it to compromise the entire client set. Other attacks have been more direct, such as the link-width attack which performs latency analysis. There will supposedly be new attacks released this year as well.

DeAnonymizer is designed as a active scan against willing participants' browsers and performs a variety of attacks against the weakest link: network and application implementation. We see webpages and think that the internet is the same no matter how you visit it. Hardly so, standards are difficult to achieve and comply with, and that is part of how deanonymizer works. It is important to keep in mind that different OSes and browsers and their settings will make the test react differently, some have different permissions, different ways to treat mime types, etc. Some won't be able to load the test (vista trouble -> false negatives), most will, because it has to attack against the greatest common factor. Some of the attacks the world has never seen, I know it includes at least one "0-day" attack against a certain series of browsers. It is in beta so have fun with it, it currently has 15 tests but may have more by the time it is publicized. We will be adding many more tests to it as time goes on (we discover a new attack every few weeks), and expanding the functionality. Visiting the test with a locked-down system may or may not compromise it on the test. DeAnonymizer can not prove you are anonymous (it is impossible to prove a thing in a non-exhaustive posteriori system: aka always new attacks), but it can disprove your anonymity (all it takes is one compromise).

edit: which 3rd parties? JonDos / JonDoNym, perhaps some of the JAP people, KryptoHippie, and a few well-respected members of the Tor community.

my apologies i probably won't be able to reply for the next few days. off to vegas right now.

 

Okay, I look forward to trying it out. But I would like to point out to a previous poster that to claim that a network (such as Tor) is deanonymized, it would really have to be deanonymized under every imaginable circumstance. In other words, it would have to affect everyone. Based on what Steve said, I don't think that will happen.

However, if DeAnonymizer can work on some systems that have taken common sense precautions and were previously thought to be secure, then I'll be impressed.

 

Himynamaborat, that’s an interesting perspective. From my viewpoint, it seems that XeroBank has received praise by some within this forum community -- but, it also seems that the product has been highly criticized and attacked by others. Thus, in total, I believe that XeroBank has received fairly well-balanced coverage here.

Himynamaborat, is that really a reasonable criterion? To use a medical analogy, one doesn’t need to show that a medication has adverse side effects for everyone who uses it in order to declare the product "unsafe" and to remove it from the market.

 

Well, I would say that most of the attacks against Xerobank have been fairly similar to mine. Nothing specific about the product, just someone occasionally lashing out at Steve for one reason or another. Steve has a tendency to post cryptic and alarming things about competing products in a way that can rub some people the wrong way. His product actually looks very good. I was actually here about a year ago using a different username for a different problem. I got into it with Steve at that time as well. I'm sure he remembers me. I'd be surprised if he didn't because I think I really got on his nerves at that time. I used to be a regular but now I just chime in rarely.

Okay, I guess you have a point. But if Tor is deanonymized for some users, it should be demonstrable that the flaw is within some implementation of Tor that perhaps only affects some setups. You can't blame Tor if someone is not running a hardened system and some flaw in a browser is exploited. But you're right that it doesn't have to affect everyone for there to be a major flaw.