[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Another Method to Block Java Hijinks



norvid @ 2007/04/05 17:18:
> On 4/5/07, James Muir <jamuir@xxxxxxxxxxxxxxx> wrote:
>> norvid wrote:
>> > On 4/5/07, James Muir <jamuir@xxxxxxxxxxxxxxx> wrote:
>> >> norvid wrote:
>> >
>> > <snip>
>> >
>> >> I've heard that properly configuring a firewall can be tricky.  In any
>> >> case, using a firewall still doesn't protect from Java applets reading
>> >> identifying information locally and sending it back through the
>> >> anonymous connection.
>> >
>> > Actually, I believe that with the browser denied access to the
>> > internet, the normal 2-way java applet communication is prevented.
>> > Please try the test I mentioned.
>>
>> In the tests that I have done previously, the Java VM inherits the proxy
>> settings listed in the browser (at least this is what is supposed to
>> happen; sometimes this does not happen).  So if the browser is
>> configured to use Privoxy and these setting are communicated correctly
>> to the Java VM, what is there to stop a Java applet from sending back
>> data through Privoxy?
> 
> I don't know the answers to these questions other than to say that I
> am not configuring any of the proxy settings in the Java VM.  They are
> the default.
> 
> I have tried to configure Java VM proxy settings with no apparent
> success.  I have no idea why this does not work.
> 
> My test might best be performed on a Windows machine as the
> availability of software firewalls is fairly extensive.  Alot of these
> are easily configurable to block the browser and allow Privoxy access.
> Although I don't have much experience with Linux, I'm guessing that
> it might be a little more difficult to configure than Windows.
> 
> I am certain that on my machine using two different firewalls, the
> very specific test I detailed will not determine my real IP even
> though Java is enabled.  Of course it cannot determine my IP if Java
> is disabled also.
>

i think what we are trying to say here, is: even though this configuration may prevent java from determining the user's IP, it does not prevent java from determining other personal information.

this information may include: the local time of the user's machine, screen resolution & color depth, operating system & browser version (if this is found to differ from the UserAgent reply, isn't that suspicious?), and probably many, many other items.  these could be just as revealing as an IP address.  so, unfortunately, i don't see the point of this configuration with anonymity in mind.

Attachment: signature.asc
Description: OpenPGP digital signature