I'm using web based email and need to send and download some plans for a project that I haven't yet trademarked. When I download an attachment through web based email is that encrypted through Tor or could my email host and/or service provider get the file and get my IP address through the attachment downloading process? 2nd question -- My web based email services uses java, is this a security risk using Tor and why? What are the alternatives? Thank you.
1- If you use Java to upload the attachment they could get your IP (your email provider). Because the file is unencrypted on your email they could also keep a copy, at the very least it is likely that the file name will be kept on the logs as well as the subject of your email, probably not the content. 2- Java is a privacy risk because it has access to your computer and could send out you real IP. Get a free email service not using Java. Learn to use GnuPG/PGP for email encryption.
If I am not mistaken, you might be able to issue the command: $ torify <browser> where <browser> is the browser you use. First check to see if you have the command, torify, with: $ which torify And then, if you use Firefox (Strongly recommended, or Icecat) as your browser, make sure you have the Torbutton Add-on that will point Firefox at your Tor proxy. Then when you visit your web mail provider, all they will see is your Tor exit node Ip address (but, they may be able to track the access of your web mail account back to you, I assume). On the otherhand, if you use Tor without Javascript, all your ISP will see is encrypted traffic to other web sites. You may be able to get by with a Xerobank account with encrypted email to/from your destination and by not accessing your normal web based email provider for those transactions (upload/download). I would check with SteveTX from Xerobank on the particulars of your question. As box750 says, JavaScript is a privacy risk, except maybe over Xerobank network. -- Tom
Not javascript, it says Java, two different things. I assume the original poster posted it correctly and he really meant Java. Few websites work nowadays without javascript, and although this can also be malicious, it is not as dangerous as Java is. AS FAR AS I KNOW there is no way to get your IP with malicious javascript, the most they could do is to crash your browser, redirect you or attempt to make you download malware.
Hi box750, If a malware attack is based on a MITM (man in the middle) approach, then it would be very easy for a JavaScript to reveal your IP address, I assume. It would be akin to a victim using the Firefox Add-on named 'Show MyIP' which is implemented in a .jar file to access a remote website to discern and return your IP address, except in this case with a MITM. -- Tom
