Thus spake Matthew (pumpkin@xxxxxxxxx): > On 05/09/10 21:11, Geoff Down wrote: > >Did you select a time zone when you set up the account? > >I assume you are using Torbutton, which blocks Javascript being used to > >read your local clock. > >GD > > > AIUI, Gmail uses JavaScript to detect the time zone (but not the time) on > the client machine. When I use NoScript with Gmail as untrusted, Gmail > cannot use JavaScript. Changing the time zone settings (for example to > something five hours behind my real time zone) does not then change the > time at which e-mail appears to arrive in the Gmail inbox since this > requires JavaScript which is not used since Gmail is considered untrusted. Please actually use Torbutton instead of speculating about what protections it provides, trying to compensate with ad-hoc homebrew approaches, and then complaining to the list when the results aren't what you expect. https://www.torproject.org/torbutton/design/#adversary Noscript can have all sorts of surprising results when you allow javascript from other domains. > However, since many websites do require JavaScript, whether or not one is > using NoScript and / or TorButton, my question was: > > If Gmail can get the time zone via JavaScript (when the client is using > Tor) then why can it not get the "real" IP also via JavaScript (when the > client is using Tor)? I don't think it can get the real IP since I have > used various tests including http://www.decloak.net/ and Tor with > JavaScript does not reveal the real IP. But why not? Javascript cannot unmask your IP. The attacks on decloak and elsewhere are all about causing plugins and external applications to launch, which NoScript does not protect against. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpGBGc4JNSeW.pgp
Description: PGP signature