[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How does Gmail know my local time zone (therefore ignoring the time zone of the Tor exit node) and what else can it see?

Thus spake Matthew (pumpkin@xxxxxxxxx):

> On 05/09/10 21:11, Geoff Down wrote:
> >Did you select a time zone when you set up the account?
> >I assume you are using Torbutton, which blocks Javascript being used to
> >read your local clock.
> >GD
> >
> AIUI, Gmail uses JavaScript to detect the time zone (but not the time) on 
> the client machine.  When I use NoScript with Gmail as untrusted, Gmail 
> cannot use JavaScript.  Changing the time zone settings (for example to 
> something five hours behind my real time zone) does not then change the 
> time at which e-mail appears to arrive in the Gmail inbox since this 
> requires JavaScript which is not used since Gmail is considered untrusted.

Please actually use Torbutton instead of speculating about what
protections it provides, trying to compensate with ad-hoc homebrew
approaches, and then complaining to the list when the results aren't
what you expect.


Noscript can have all sorts of surprising results when you allow
javascript from other domains.

> However, since many websites do require JavaScript, whether or not one is 
> using NoScript and / or TorButton, my question was:
> If Gmail can get the time zone via JavaScript (when the client is using 
> Tor) then why can it not get the "real" IP also via JavaScript (when the 
> client is using Tor)?  I don't think it can get the real IP since I have 
> used various tests including http://www.decloak.net/ and Tor with 
> JavaScript does not reveal the real IP.  But why not?

Javascript cannot unmask your IP. The attacks on decloak and elsewhere
are all about causing plugins and external applications to launch,
which NoScript does not protect against.

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpGBGc4JNSeW.pgp
Description: PGP signature