Re: building pages with tor in mind

[Paul Syverson <syverson@xxxxxxxxxxxxxxxx>]

On Tue, Feb 27, 2007 at 02:03:55PM -0500, Michael Holstein wrote:
> >I have yet to see an example of pure JavaScript code that can read an 
> >end-user's IP address.  Any code I've seen returns either "localhost" or 
> >"127.0.0.1".
> 
> Bear in mind you need not get javascript to return the results of 
> something like "ipconfig /all" to work .. all you need do is create a 
> non SOCKS'ed connection to somewhere.
> 
> Flash is one excellent way to do that .. invoked via JS.

I believe all the things raised in this discussion were in the old
"snoop server" we used to run here at NRL starting in 1996 until about
'99 or 2000. Unfortunately the code for it disappeared from NRL when
Mike Reed did a few years after that, so I can' say for sure what was
on it. I know he had set up javascript exploits along with many other
things, and I believe at least one of the javascript ones would return
IP address through the anonymous circuit but I can't swear to it.
(There were some that did return IP address; I just can't recall if
they were javascript based.) The snoop server also had multiple ways
of opening up connections that bypassed the anonymity network
entirely, such as via flash, real audio, etc., that is unless the
Redirector that we had for Windows NT in '97 ('98?) was used. It sent
all connections through onion routing, but was much more intrusive on
the OS. Of course that wouldn't protect against any of the attacks
that ran through the anonymous pipe, rather than around it.

You might also look at some of the exploits Kevin McCurley has on
the digicrime site. I don't think he's updated them for years, but
they're still there. James Muir has already pointed to some of the
similar exploits he's done.

aloha,
Paul