Next Flash Version Will Support Private Browsing

Discussion in 'privacy technology' started by lotuseclat79, Feb 17, 2010.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    Next Flash Version Will Support Private Browsing.

    -- Tom
     
  2. gumbyy

    gumbyy Registered Member

    Joined:
    Dec 19, 2009
    Posts:
    42
    Maybe so, but they are only talking about controlling flash cookies. I doubt that Adobe will do anything about another huge Flash privacy issue -- the fact that Flash can give away your real IP even if you are using a VPN, thus making it very difficult to browse anonymously.

    Nor do I think that Adobe wants people to be able to browse anonymously. All of these key companies in the internet revolution are in cahoots with the governments that want to be able to spy on people at will.

    Yes, i'm a conspiracy theorist, and proud of it! :D
     
    Last edited: Feb 22, 2010
  3. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Can you please provide more information on this vulnerability? Is there a proof-of-concept website using Flash that demonstrates this phenomenon?
     
  4. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Metasploit's decloak.net includes a Flash test.
     
  5. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Thank you for the reference. It is interesting to note that Metasploit states: “A properly configured Tor setup should not result in any identifying information being exposed.” This suggests that a VPN service, such as xB VPN by XeroBank, will succeed in preventing Flash from revealing a user’s true IP address.

    Personally, when I run the decloaking test on Internet Explorer 8 with Windows Vista using xB VPN, I receive only an error: “The webpage cannot be displayed.” Perhaps other forum members can execute the test and report their findings in this thread?
     
  6. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Right. I can't get it to run with IE8 either. Connected to XeroBank using XB VPN (which uses OpenVPV), running XB Browser (tweaked Firefox 2.0), permitting scripts, and opening the Word document with Word 2007, I get ...

    Field Data Dependency

    External Address 94.75.217.248 Browser
    Internal Host unknown Java
    Internal Address unknown Java

    DNS Server (Java) unknown Java
    DNS Server (HTTP) unknown Browser
    DNS Server (FTP) unknown Browser
    DNS Server (Word) unknown Office
    DNS Server (iTunes) unknown iTunes
    DNS Server (Quicktime) unknown Quicktime

    External NAT (FTP) unknown Browser
    External NAT (Java) unknown Java
    External NAT (Flash) 94.75.217.248 Flash
    External NAT (Word) unknown Office
    External NAT (iTunes) unknown iTunes
    External NAT (Quicktime) unknown Quicktime

    94.75.217.248 is one of XeroBank's Amsterdam exit nodes. If I don't permit scripts, I get "unknown" for the Flash test.
     
  7. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Thus, it appears that xB VPN is successfully preventing Flash from revealing your true IP address -- correct?
     
  8. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Yes, it does.
     
  9. JustJohnny

    JustJohnny Registered Member

    Joined:
    Oct 18, 2009
    Posts:
    21
    I am using OpenVPN with the DNS leak plugged and it doesn't appear that Flash can expose me (at least based on the decloak site). Although it is nice to know the next version of Flash will be more secure.
     
  10. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    This is the first time that I have ever heard anyone suggest that flash could reveal an IP while using a VPN.
     
  11. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Likewise, I had never heard that Flash could potentially reveal a user’s true IP address.

    Specifically, the risk does not appear to exist for users of xB VPN. Generally, the comment on the Metasploit websiste (“A properly configured Tor setup should not result in any identifying information being exposed”) seems to suggest that the risk may be nonexistent for VPN users -- but, perhaps (?) it exists for non-VPN anonymity services (e.g., those using SSH tunneling).
     
  12. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    On http://decloak.net, in the section "Decloaking Engine Implementation", there's the explanation ...

    The Flash section of decloak.html (the actual test page via "Start Test") is

    Run by itself via http://decloak.net/flash.swf, the Flash file displays the code ...

    From http://decloak.net/Decloak.hx, I get ...
    Perhaps someone could explain what all that does. I don't think that it's as simple as "VPNs never leak". I suspect that it has something to do with DHCP implementation on the VPN and/or the computer's routing table, and how it/they interact with the browser and/or its Flash plugin. That's a WAG, BTW.
     
Loading...
Thread Status:
Not open for further replies.