[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Another Method to Block Java Hijinks
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Another Method to Block Java Hijinks
- From: "Kyle Williams" <kyle.kwilliams@xxxxxxxxx>
- Date: Thu, 5 Apr 2007 23:27:48 -0700
- Cc: or-talk@xxxxxxxx
- Delivered-to: archiver@seul.org
- Delivered-to: or-talk-outgoing@seul.org
- Delivered-to: or-talk@seul.org
- Delivery-date: Fri, 06 Apr 2007 02:27:58 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Gid+8lTtJ9CLBAX8utoYQWgv6mYZ9XN/WDs9q/uDVWXCSJSw+L+T34KbNHmgnP4FwvigZwmhSKML+jVxl7hKZBmRRjF/67q3HTGZt0BwFme511jx5Ro/9pNbyn128C7V43VTHmSOE4nW3ds9aKzYENkpDUesGI42EHgDaOllO7A=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=iDdRPe77JKugoNxiF8WoMO2ACDdTnVDJRKXTYMNRuHK3gLmxJbdeOWzkR0cmiZXnLpSNyP3Xqm1tjVD0IARF6MarEjkMWN2a3j3urVNKQrkCawDaItuRgNkzlFGkIlwRcaTY9XTJ6k+dcacnIjwDB6uAlkkG8wkA6jBQAIoP1ys=
- In-reply-to: <726285910704020513g653cd166qe4d5f5d9c5aebbff@mail.gmail.com>
- References: <726285910704020513g653cd166qe4d5f5d9c5aebbff@mail.gmail.com>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
It didn't report my real IP address.
I tried this page with JanusVM and recorded the session in FLASH.
Here's the link if anyone would like to see for themselves.
http://janusvm.peertech.org/Flash/JanusVM-SEC-Demo-1.html
Needless to say, it didn't compromise my real IP address with JAVA TURNED ON.
We also tested the Metasploit Project's Decloaking Engine. It failed too.
Regards,
~Kyle
On 4/2/07, norvid <norvid@xxxxxxxxx> wrote:
Hello
I have another method that may block Java hijinks that can allow a
site to determine your real IP. This one allows you to use the normal
default browser settings. You do not have to turn off all sorts of
scripts. You probably should still block cookies.
Use a firewall with settings which block the browser from accessing
the internet but allows Privoxy access. Set up your firewall this
way. Now to test obviously all you need do is turn the firewall off
and on.
Go to this page to test:
http://stayinvisible.com/cgi-bin/iptest.cgi
This page uses a Java applet to reveal your real IP.
It will guess mine when the firewall is off but fails to when the
firewall is on.
Now test your IP without the firewall but while turning off Java. You
should see that the test will not reveal your IP. Don't worry about
_javascript_. It has nothing to do with it on this particular page.
I'm throwing this out here as potentially another way to protect your
privacy while using Tor and depending on the firewall used it may be
easier to set up than turning off all sorts of browser functionality.