How can I test if my browsing is anonymous?

It is because of Java applet. Disable Java in your browser and they will not reveal your IP address.

Actually if you surfing behind any kind anonymous proxies or socks and if you disable Java and then Javascript for more privacy then is there not any kind of deanonymized script that can reveal your IP address.

 

Himynamaborat, I can relate to your comment. While I respect the technical expertise and contributions of SteveTX, his “enthusiasm” for XeroBank can sometimes be excessive. His substance is quite good, in my opinion; his style has some room for improvement on occasion.

Himynamaborat, from my perspective, I would hold XeroBank “responsible” for a failure to provide anonymity, even if the root cause of the difficulty resided in a browser flaw. As a consequence, I would hold Tor to the same standard -- as I believe would many users, especially those who are “average” (versus technically sophisticated).

 

I agree. And I do not have to worry about java, javascript, or anything like that while using Xerobank. But evidently with Tor you do.

 

Well, you have to worry about java in terms of giving up your IP. But I've never seen it done with javascript alone. Javascript (without java) does give up some data such as screen resolution, but it would be news to me if it could completely deanonymize.

With regards to java, I've been to those sites that can obtain an IP through java, however I was able to stop the leak through my firewall. Firefox has to have permission to access the internet with the existing sites that use java. And, frankly, who uses java? I've never been to a site that's required it, and I've never left it on.

With regards to javascript, just ask the site administrators here what they can see when I access this site with javascript enabled. I simply filter it through proxomitron so there is no leakage whatsoever. But it's still totally functional.

All of that being said, I'm very eager to see what Steve's come up with. It's like a new toy I can't wait to get my hands on.

 

java is only a threat if proxy bypass is in your threat model. with a good transparent Tor / equiv. setup even java, flash, etc. are no advantage.

and yes, javascript alone has proven effective in the past for divulging IP and worse.

best regards,

 

don't be so sure... xB VPN can be bypassed if you allow arbitrary java execution. xB Machine is pretty solid.

 

depending on the nature of your internal network even the best firewall filtering is unable to block certain types of IP disclosure available to Java. this is a proven fact.

(hint: the firewall/gateway itself is leveraged for disclosure)

best regards,

 

I am looking forward to seeing this deanonymizer, only a few days to go now until the 1st of August.

 

You need to worry about Java, Javascript with any anonymizing software including Xeronbank. There are not exception.

 

Do you have a reference for this or a website I can visit to try it out? I think I've been to every deanonymizing site currently available and have never seen this happen.

I'm using Tor with javascript now, so, just point the way, and I'll try it.

 

So far i know with Javascript is not possible to retrieve your real IP address.
Only if javascript works in combination with Java. So if you have disable Java then is not need to worry because Javascript can not retrieve your real IP address behind proxy server.

 

you guys here who are saying that javascript does not reveal your real IP are wrong. if you read back it has already been proven in this thread that javascript does show your real IP address.

I tested it using http://www.proxeasy.com and tested it here
http://www.frostjedi.com/terra/scripts/ip_unmasker.php

Javascript enabled my Real IP is shown
Javascript disabled only my proxy IP is shown

 

Try to disable JAVA and then test again with enabling en disabling Javascript. It is probably situation where javascript works in combination with Java.
I guess that if you disable JAVA then it will not matter of javascript is enabled or not.

ps

I have just see that you did it with web proxy. That;s problem because of XSS and moz-binding and you will not pass last test 4.
So you need to disable javascript by using web proxy for test 4.

If you try same test (last) with anonymous proxy server (not web proxy) for example 210.239.26.104 on port 8080 then your IP address will be still hidden.
And you do not need to disable anything for the last test.
For other 3 test disabling Java applet is required.

 

Himynamaborat, for “average” users who simply install Tor and believe that anonymity is achieved, the awareness of the Java problem -- and the sophistication to adjust firewall or browser settings -- may be outside of their ‘comfort zone.’ Users who install Tor want anonymity, plain and simple; and, unless they are “above average” in terms of their sophistication, a false sense of protection may result.

 

SteveTX, what’s your perspective on this issue?

 

I'm not really sure I understand. I tried that site today and yesterday. It shows nothing but my Tor IP. The first and fourth link show my Tor IP. The middle two (UTF-16) don't show any IP at all (just 5 lines of Chinese looking characters). I'm not sure what it's supposed to do, but it's not obtaining my true IP. Perhaps it depends on your settings.

Edited to Add: The above test was with proxomitron and web page/header filters. I disable those filters, and it still was not able to get my true IP. It however was able to get my browser type, etc. due to javascript being unfiltered. So, basically, it doesn't work. Maybe there's something wrong with your setup.

 

I was an average user a few years ago. I just did some studying and trial and error (lots of trial and error). But I will say that turning off Java was something the Tor people made abundantly clear even when I had no idea what it could do. Javascript is not a huge deal (per my experience, which others will disagree with).

But I do agree that there are MANY plugins in a typical browser (often the media player plugins) that are just as bad (or worse) than Java. I discovered that independently, as I haven't seen it mentioned very often. If you visit many sites that stream media, the plugin will likely try to bypass your proxy (from my experience).

 

This thread is becoming really cluttered with so many contrary views. It's hard to keep track of who said what.

References, links?

References, links? Not that I particularly care about Java, but I want to see it bypass my firewall (just to have the knowledge of how its possible).

Thanks

 

sorry, i should have stated javascript, no java, has proven sufficient in the past.

for example, http://archives.seul.org/or/announce/Sep-2007/msg00000.html
"And the user doesn't even have to click on anything if she's got javascript enabled..."

certainly javascript is much less risky than java.

for example, dproxy-nexgen dns / cache (bad!) on gateway router (linux embedded, others).
or a local mailserver (but this requires TCP connect).
...other attacks that leverage local services to discover public endpoint... you get the picture.

for java using DNS lookups only consider dproxy-nexgen responding to getAllByName(inetaddr.getHostName()) for the gateway IP. 192.168.1.1 -> somehostname, mydhcpname.verizon.net -> public IP.

you can point sun.net.spi.nameservice.nameservers where desired if necessary.

best regards,

 

That link no longer works with tor. But it did when it was first posted.

 

I use JanusVM. JanusVM should not reveal your true IP using the decloak.net tests with everything (Java, JavaScript, Flash, etc.) enabled. With a transparent proxy such as JanusVM, if I am not mistaken, your browser does not know your true IP, and thus Java, Flash, etc. cannot reveal it.

Here is a quote from SteveTX:

The Tor FAQ at https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ mentions JanusVM:

 

That's an excellent point, and a good reason IMHO to use a transparent proxy.

 

Hi coderman,

I beg to differ - although javascript when disabled prevents lots of web pages from working properly, one should not assume it is "less risky" than java. When enabled, javascript has been one of the choice methods of attack.

-- Tom

 

this is usually true. one exception is the local DNS query attack using Java (or other plugin capable of arbitrary direct DNS requests when dproxy-nexgen or equivalent is at the gateway).

in this case, you have to completely disable the local subnet to deny access to the dproxy DNS cache. this is why Tor VM "takes over" the local ethernet adapter and gives you your own Tap 32 device to route through. (among other reasons).

so while a transparent proxy is an order of magnitude more effective than proxy based configurations, it alone is still insufficient in some very limited circumstances.

remember: there is no silver bullet.

EDIT: this is also specifically addressing IP disclosure attacks via side channels and such. there are a number of other attacks that Torbutton protects against which can reduce the set of Tor users down to a set of one (even if you don't know the public IP of that one...)