[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: A case for SSL specialist programmers

To: or-talk@xxxxxxxxxxxxx
Subject: Re: A case for SSL specialist programmers
From: lester psigal <lesterpsigal@xxxxxxxx>
Date: Fri, 24 Nov 2006 12:38:26 -0800
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Fri, 24 Nov 2006 15:39:28 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.de; h=Received:X-YMail-OSG:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=0gUw+zNLVTwznSkNpa9l3a64i8awMNai3bRmi7mX+UOJLX+6tI9pQgHP49GbBeTIopCs4FkgtpOS4P+ba8uG+9c9fp8Ii0RJ4GbHj3BjOca0Kq8oh7FatM34NjXDIPsPUeoP1JQ8gyTcnc1IA7G/i0zr8Qof3AuMvGYXEImQ6T0= ;
In-reply-to: <1163067765.26913.275394021@webmail.messagingengine.com>
References: <1163067765.26913.275394021@webmail.messagingengine.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.8 (Windows/20061025)

Total Privacy wrote:
> Hi, to some https super gurus maybe on this forum! 
> 
> I´ve did some easy research over the net about different approach 
> for websites fooling out real IP numbers from users, and besides 
> the usual stuff (javascript, active-x, flash plugins etc) I get 
> some hints about the https SSL protocol itself may collect the 
> users real IP, also when the user is using anonymizers. 
> 
> When I check at the https://proxify.com/whoami/ trough Tor, I 
> only see the Tor exit node IP and not my real. Same thing when 
> cheking my SSL webmail accounts log of login IP and also in 
> the headers of emails send from that https webmail, it only 
> shows the Tor exit node IP. 
> 
> The question is then, are that perhaps any hidden information 
> streams into the SSL connection, that is able to get the real 
> IP, but only make the last IP (Tor exit node) visible to user? 
> 
> Or is it that simple, when the Tor IP is showed, then it´s the 
> only IP the https website collect? 
> 
> Thanks for any answer of knowledge. 
> 
> 
> 
> 

i don't think there are hidden information streams, e.g. encoded ip
information, build into ssl as ssl is based on tcp as the transporting
protocol. but there could be issues when you use client certification
in the case your client certificate contains location information.
for further information please read

http://wp.netscape.com/eng/ssl3/draft302.txt

lester





		
___________________________________________________________ 
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de

References:
- A case for SSL specialist programmers
  - From: Total Privacy

Prev by Author: Re: ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor
Next by Author: Re: Blocked by Websense
Previous by thread: A case for SSL specialist programmers
Next by thread: Vidalia 0.0.8
Index(es):
- Author
- Thread