True IP revealed behind TOR

Discussion in 'privacy problems' started by AF1X, Jan 22, 2012.

Thread Status:
Not open for further replies.
  1. AF1X

    AF1X Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    10
    An anonymity check via ip-check.info has revealed that a user's real IP address can be extracted behind TOR.

    Here is the screenshot of the results (the blacked out part below the TOR IP is my address):

    http://tinypic.com/view.php?pic=2u90kkp&s=5

    The script somehow uses FTP to do this.

    Any ideas?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    did you let something run, any prompts?
     
  3. AF1X

    AF1X Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    10
    No, no prompts.

    Here are my specs:

    >>> OS: Windows 7 Home Premium Service Pack 1

    >>> Firewalls:

    *Windows Firewall
    -Only the "Core Networking" processes are enabled under both Inbound and Outbound rules.

    *Comodo Firewall
    -Defense Security Level set to "Paranoid"
    -Firewall Security Level set to "Custom Policy"
    -Only essential applications/processes are defined in the "Trusted Applications" section.
    -Stealth Ports Wizard set to "Block all incoming connections and make my ports stealth for everyone"

    >>> Browser: Google Chrome 16.0.912.75
    >>> Configuration:

    ** Under the Hood --> Privacy
    -Only "Enable phishing and malware protection" is enabled


    ** Under the Hood --> Privacy --> Content Settings

    *Cookies
    -Block sites from setting any data
    -Block third-party cookies from being set
    -Clear cookies and other plug-in data on close

    *Images
    -Show all images

    *Javascript
    -Do not allow any site to run Javascript

    *Handlers
    -Do not allow any site to handle protocols

    *Plug-ins
    -Block all

    *Pop-ups
    -Do not allow any site to show pop-ups

    *Location
    -Do now allow any site to track my physical location

    *Notifications
    -Do not allow any site to show desktop notifications

    So, the only content being shown are images.

    I also use the Chrome extension "Switchy!", which is similar to Torbutton on Firefox. Privoxy is currently set as the HTTP/HTTPS Proxy (filters advertisements/popups/scripts) and it then is set to forward data to TOR. The "SOCKS Host" is set as Socks5 and configured for TOR.

    There script can not possibly be executing on my browser with javascript/plug-ins disabled AND Privoxy (unless there is another way?), so that leaves TOR.

    We know that TOR was designed to keep traffic encrypted and therfore anonymous, but does its anonymity hold firm when connected to the host?
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    TOR only encrypts your browser activity, all other services communicate via normal ports over standard protocols without TOR encryption and tunneling.
     
  5. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Most of my lines are green not orange, a question are you using tor button I use Firefox 9.01 and Firefox extension "Better Privacy" and "No Script" as well. Ports 8118 and 9050 for SOCKS.
     
  6. parsec

    parsec Registered Member

    Joined:
    Aug 2, 2011
    Posts:
    68
    Location:
    /local/galaxy_cluster/milky_way/sol_system/earth
    Give torbrowser-bundle a try.. see if it reveals your real location.
     
  7. AF1X

    AF1X Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    10
    Yes, but I wonder how this website's script is discovering the real IP behind TOR? There are no open ports on this box.

    This test used the latest stable build of Google Chrome. All ports are configured correctly too.

    WTF!

    *sigh*

    As far as this anonymity test goes, the torbrowser-bundle scored better and therefore seems more secure than Chrome.

    Hmm...
     
  8. parsec

    parsec Registered Member

    Joined:
    Aug 2, 2011
    Posts:
    68
    Location:
    /local/galaxy_cluster/milky_way/sol_system/earth
    Here is a VM Windows 7 with Chrome & Firefox both latest version and Vidalia latest, no addons/extensions.. plain stock. Even my DNS got detected using chrome.

    My suggestion is to stick with TorBrowser Bundle and use different dns servers: opendns, norton whatever :)
     

    Attached Files:

  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    HTTP port 80 is protected by TOR.
    DNS port 53 is not protected by TOR.
    Your computer resolves DNS on the site you visit because they provide their own DNS server.

    For a better explanation you can see DNS Rebinding here: -hxxp://www.youtube.com/watch?v=stnJiPBIM6o-
     
  10. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    If your real IP was revealed via FTP, then the most likely culprit is your firewall configuration. Just create an application rule for your browser to block outbound TCP connections on Port 21. Or better yet, configure your firewall to allow only outbound TCP Port 80 (HTTP) and 443 (HTTPS). Don't allow your browser to connect to any other ports/protocols by default; only allow them on an as-needed basis.
     
  11. Katelee

    Katelee Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    2
    If you want to get perfect on the IP test, use JAP/JonDonym and JonDoFox..[​IMG] .

    Anyway, your real IP was revealed because of a bug of Webkit's FTP parse.
    I think it should be documented somewhere on the JonDo website.
    You can prevent it from detecting your real IP with blocking port 21 "AND" adding "ftp://*" to your adblock black list, but I'm not sure that it is really enough to prevent the IP leak itself or it is just enough to prevent the test from detecting it.
    I guess we'd better not use Chrome or Safari for anonymous surfing.

    BTW, this might be OT, but don't use OpenVPN unless you set the TCP/IP properties properly as it also seems to have some IP leak bug.
    I've come across many websites that detect a real IP while using OpenVPN(I've never seen such a site while using PPTP)!

    Many people here seem to have a lot of faith in OpenVPN, but my experience has convinced me that SSTP (or even L2TP/IPsec) is better.
     
    Last edited: Jan 24, 2012
  12. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    People paranoid enough to use tor are still dumb enough to use plaintext-authentication protocols like pop3 and telnet. They might think it’s “secure because tor encrypts it”. This isn’t the case. It’s encrypted, but …… communication from client to entry node and exit node to server will still remain as is. POP3, telnet and others will still be plain-text and thus subject to sniffing.
     
  13. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    What's wrong with setting the mail client to use port 995, 993, 465, etc. for SSL encryption?
     
  14. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    So what sites have you used that show your real IP when using OpenVPN? I am unaware of any site that reveals my real IP when using OpenVPN when using my VPN provider. And I have tried alot of them. If your real IP is being leaked when using OpenVPN with your VPN provider then your provider or you do not have something configured properly. As to PPTP it is no where as nearly secure as OpenVPN as far as encryption goes. Not to mention that it is substitutable to brute force attack. See here for details on this: http://hak5.org/hack/hacking-pptp-vpns-with-asleap
    Not to mention that OpenVPN has the option of using Perfect Forward Secrecy which blows PPTP out of the water.
    As for L2TP and IPsec they are more secure than PPTP as they protect from the brute force attack. If you have links to the websites that showed your real IP while using OpenVPN I would love to check them out and see what my results are.

    Here are some of the IP checks I have done and NONE of them have been able to detect my real IP while using OpenVPN: (I can run these tests with Java and Flash enabled and I pass)

    http://ip-check.info/

    http://ipchicken.com/

    http://www.auditmypc.com/anonymous-surfing.asp

    http://ipinfo.info/html/privacy-check.php

    http://test.anonymity.com/

    http://analyze.privacy.net/

    http://www.proxyway.com/anonymity-test.html

    http://www.checkmytorrentip.com/

    Many more...
     
    Last edited: Jan 27, 2012
  15. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    It is because in your browser proxy config where it says FTP there is no proxy filled in. So it will use a direct connection. My Connectivity service use Open VPN so I don't need to fill in a proxy and that sight just showed my VPN's ip.
     
  16. Katelee

    Katelee Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    2
    marktor,

    Well, all of the sites you listed above are Http.
    My real IP has been detected by https ip tests.
    You might as well check sites like h*tps://ipcheckit.com or h*tps://www.whatismyip.com.

    In my case, it is always fixed by resetting the TCP/IP stack but eventually comes back around, probably because I switch b/w static IP and DHCP often (to prevent DNS leak) or use software like TCP Optimizer (to improve net speed), I don't know...

    Incidentally, I've seen a lot of OpenVPN servers poorly managed and many of them fail the old anonymity test at h*tp://checker.samair.ru.

    I admit L2TP might be hard to use for some people. I just wanted to say SSTP is better than OpenVPN as it is said to be as secure as OpenVPN and its speed is faster.
     
  17. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    Tried the https sites you mentioned and my real IP is not shown while using VPN. I use this to help with DNS leaks: http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php It seems to work well I also use TCP Optimizer. Im not really sure what is going on with your real IP being leaked. I was working on one clients machine and I noticed they had to right click on OpenVPN and then "Run As Administrator" in order for it to work properly. Otherwise it would connect but there real IP would still be used. It was as if their network traffic was not being routed through OpenVPN. What causes this to be a problem is if UAC (User Account Control) is enabled in Vista or 7. I dont know maybe you are having a similar issue.

    As for SSTP it is good not sure if it is worse or better than OpenVPN. The issue is that SSTP has is that not many VPN providers seem to offer it.
     
  18. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    With no vpn nothing just from inside my virtual machine http://ip-check.info can't even detect my real ip lol
     
Loading...
Thread Status:
Not open for further replies.