Another Method to Block Java Hijinks

Kyle Williams kyle.kwilliams at gmail.com
Sat Apr 14 03:00:46 UTC 2007


On 4/12/07, scar <scar at drigon.com> wrote:
>
> norvid @ 2007/04/05 17:18:
> > On 4/5/07, James Muir <jamuir at scs.carleton.ca> wrote:
> >> norvid wrote:
> >> > On 4/5/07, James Muir <jamuir at scs.carleton.ca> wrote:
> >> >> norvid wrote:
> >> >
> >> > <snip>
> >> >
> >> >> I've heard that properly configuring a firewall can be tricky.  In
> any
> >> >> case, using a firewall still doesn't protect from Java applets
> reading
> >> >> identifying information locally and sending it back through the
> >> >> anonymous connection.
> >> >
> >> > Actually, I believe that with the browser denied access to the
> >> > internet, the normal 2-way java applet communication is prevented.
> >> > Please try the test I mentioned.
> >>
> >> In the tests that I have done previously, the Java VM inherits the
> proxy
> >> settings listed in the browser (at least this is what is supposed to
> >> happen; sometimes this does not happen).  So if the browser is
> >> configured to use Privoxy and these setting are communicated correctly
> >> to the Java VM, what is there to stop a Java applet from sending back
> >> data through Privoxy?
> >
> > I don't know the answers to these questions other than to say that I
> > am not configuring any of the proxy settings in the Java VM.  They are
> > the default.
> >
> > I have tried to configure Java VM proxy settings with no apparent
> > success.  I have no idea why this does not work.
> >
> > My test might best be performed on a Windows machine as the
> > availability of software firewalls is fairly extensive.  Alot of these
> > are easily configurable to block the browser and allow Privoxy access.
> > Although I don't have much experience with Linux, I'm guessing that
> > it might be a little more difficult to configure than Windows.
> >
> > I am certain that on my machine using two different firewalls, the
> > very specific test I detailed will not determine my real IP even
> > though Java is enabled.  Of course it cannot determine my IP if Java
> > is disabled also.
> >



i think what we are trying to say here, is: even though this configuration
> may prevent java from determining the user's IP, it does not prevent java
> from determining other personal information.
>
> this information may include: the local time of the user's machine, screen
> resolution & color depth, operating system & browser version (if this is
> found to differ from the UserAgent reply, isn't that suspicious?), and
> probably many, many other items.  these could be just as revealing as an IP
> address.  so, unfortunately, i don't see the point of this configuration
> with anonymity in mind.
>
>
>
The local time of the user machine, that could be useful.
But if you want to know that the screen size is 1024x768, sure, you just got
the screen size of my VM.  That doesn't tell you that my real screen size is
1280x1024, 1600x1200, or whatever.  As for my OS, I don't care that you find
out I'm running Windows, in a VM.
Then what possible REAL information would you be able to find?

Seriously, someone...anyone, show me how much information you could get
using Java, Javascript, or Flash against JanusVM; I don't think you would
get much USEFUL information.

Specifically:
* What information can you find out that is REAL AND TRUE about the user
and/or environment they are using?
* How would you use this information to track the user to their point of
origin or source?
* How can this information compromise the safety / privacy of the user?
* Can any of the recovered information be used to calculate the users
personality or browsing habits? (such as tracking pedophiles, like HD Moore
wants to do.)

I would be using JanusVM for the transparent proxy layer, Windows XP Pro for
the OS, and both IE and Firefox for the test.  Two VM will be running with
VMWare Server, JanusVM and Windows XP.

If anyone is up for this, just let me know.
Personally, java is nice but I hate coding it and have lots to do already,
otherwise I would do it myself.
I would love to see good results, and have someone make me eat my words.
But as it stands, I think JanusVM is your best bet (for now) to protect
yourself against Java/Javascript/Flash leaking your real IP or other useful
information.

(HD Moore, you up for this?  If so, let me know because I have a couple of
ideas for ya.  ;-)


Regards,
~Kyle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20070413/615bb848/attachment.htm>


More information about the tor-talk mailing list