Discussion in 'privacy technology' started by lotuseclat79, Feb 17, 2010.
Next Flash Version Will Support Private Browsing.
Maybe so, but they are only talking about controlling flash cookies. I doubt that Adobe will do anything about another huge Flash privacy issue -- the fact that Flash can give away your real IP even if you are using a VPN, thus making it very difficult to browse anonymously.
Nor do I think that Adobe wants people to be able to browse anonymously. All of these key companies in the internet revolution are in cahoots with the governments that want to be able to spy on people at will.
Yes, i'm a conspiracy theorist, and proud of it!
Can you please provide more information on this vulnerability? Is there a proof-of-concept website using Flash that demonstrates this phenomenon?
Metasploit's decloak.net includes a Flash test.
Thank you for the reference. It is interesting to note that Metasploit states: “A properly configured Tor setup should not result in any identifying information being exposed.” This suggests that a VPN service, such as xB VPN by XeroBank, will succeed in preventing Flash from revealing a user’s true IP address.
Personally, when I run the decloaking test on Internet Explorer 8 with Windows Vista using xB VPN, I receive only an error: “The webpage cannot be displayed.” Perhaps other forum members can execute the test and report their findings in this thread?
Right. I can't get it to run with IE8 either. Connected to XeroBank using XB VPN (which uses OpenVPV), running XB Browser (tweaked Firefox 2.0), permitting scripts, and opening the Word document with Word 2007, I get ...
Field Data Dependency
External Address 220.127.116.11 Browser
Internal Host unknown Java
Internal Address unknown Java
DNS Server (Java) unknown Java
DNS Server (HTTP) unknown Browser
DNS Server (FTP) unknown Browser
DNS Server (Word) unknown Office
DNS Server (iTunes) unknown iTunes
DNS Server (Quicktime) unknown Quicktime
External NAT (FTP) unknown Browser
External NAT (Java) unknown Java
External NAT (Flash) 18.104.22.168 Flash
External NAT (Word) unknown Office
External NAT (iTunes) unknown iTunes
External NAT (Quicktime) unknown Quicktime
22.214.171.124 is one of XeroBank's Amsterdam exit nodes. If I don't permit scripts, I get "unknown" for the Flash test.
Thus, it appears that xB VPN is successfully preventing Flash from revealing your true IP address -- correct?
Yes, it does.
I am using OpenVPN with the DNS leak plugged and it doesn't appear that Flash can expose me (at least based on the decloak site). Although it is nice to know the next version of Flash will be more secure.
This is the first time that I have ever heard anyone suggest that flash could reveal an IP while using a VPN.
Likewise, I had never heard that Flash could potentially reveal a user’s true IP address.
Specifically, the risk does not appear to exist for users of xB VPN. Generally, the comment on the Metasploit websiste (“A properly configured Tor setup should not result in any identifying information being exposed”) seems to suggest that the risk may be nonexistent for VPN users -- but, perhaps (?) it exists for non-VPN anonymity services (e.g., those using SSH tunneling).
On http://decloak.net, in the section "Decloaking Engine Implementation", there's the explanation ...
The Flash section of decloak.html (the actual test page via "Start Test") is
Run by itself via http://decloak.net/flash.swf, the Flash file displays the code ...
From http://decloak.net/Decloak.hx, I get ...
Perhaps someone could explain what all that does. I don't think that it's as simple as "VPNs never leak". I suspect that it has something to do with DHCP implementation on the VPN and/or the computer's routing table, and how it/they interact with the browser and/or its Flash plugin. That's a WAG, BTW.
Separate names with a comma.