[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: is Java unsafe to use with Tor?

--- James Muir <jamuir@xxxxxxxxx> wrote:
> Java is not safe to use with Tor, or any other
> proxy-based anonymity 
> system.  It is possible for applets to override any
> proxy settings you 
> might have set (i.e. an applet running in your
> browser can disregard 
> your proxy settings and make a direct connection to
> the internet).  For 
> an example of this, you can have a look my paper
> "Internet Geolocation 
> and Evasion".
> I have heard that it is possible to run your browser
> and JavaVM (and 
> Flash and JavaScript, if you want) inside a larger
> virtual machine. 
> This is what JanusVM does.  If you really want to
> use Java with Tor, 
> then you could try that.
> -James

Well, I wasn't talking about running random Java
applets in a web browser (I don't even have the
browser plugin installed for Java, so no problems
there), or setting any system-wide proxy settings, or
anything like that. I'm already aware of those

I'm talking about a Java program that I control and
can tell it to use a proxy, just like any other app
that supports proxy connections. The problem is simply
that the Java implementation (in this case, Sun Java
1.5, I have not tried this with other implementations)
will always default to direct connections whenever the
proxy is not available, which isn't a desirable
behavior at all. 

It would be as if you configured your browser or
e-mail client to use a proxy, and it going out of its
way to make direct connections anyway if your proxy
happened to be down. I think anyone here would call
that a problem (but people outside the Tor community
do not, hardly anyone even recognizes there might be a
problem with that sort of thing, it is just a great
feature that lets you pretend everything is working
when it isn't). 

There seems to be no way to override that broken
behavior. I'd rather not have to use yet another VM to
overcome it (I don't want to VNC all the traffic from
this system to the proxy, anyway). If Java won't work
sensibly, then it's probably a better idea to just use
something else. 

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around