Re: building pages with tor in mind

[James Muir <jamuir@xxxxxxxxxxxxxxx>]

Bryan Fordham wrote:
>     I have yet to see an example of pure JavaScript code that can read an
>     end-user's IP address.  Any code I've seen returns either
>     "localhost" or
>     "127.0.0.1 <http://127.0.0.1>".
>
>
>
> That's kind of the conclusion I've reached, though I'm far from an expert.
>
> So, if it can't read the IP, why is it a security risk? Because of cookies?

The risk is that you become more trackable.  The more information you 
make available about your browser, plugins and OS, the easier it is for 
web servers to create a profile on you (i.e. a record of your previous 
actions).  If you have cookies enabled and never delete them, then it is 
really easy to profile you!  Perhaps during one visit to a web server 
you accidentally submit your name in a web form.  In that case, your 
identity can be linked to that profile (i.e. you can be held accountable 
for all your previous actions).

I wrote a blog last year which explained some of this (although, 
re-reading it now, I see that a few of the details I wrote about Tor 
were incorrect):

http://www.anonequity.org/weblog/archives/2006/03/escaping_your_h_1.php

-James