On Mon, Apr 14, 2014 at 08:19:11PM +0200, Thomas Asta wrote: > Nils that ia simply untrue. JS accesses the local machine where the briwser > is. > Am 14.04.2014 20:11 schrieb "Nils Kunze" <[email protected]>: > > > As these requests will be sent out via the tor network, this will not leak > > your real ip but just the ip of your exit relay, which is known anyways.
Sorry, I suggest you all learn more about javascript and read the links in question. There aren't any known ways for JavaScript to learn the client's IP address locally. Assuming there aren't further browser exploits of course. And those exploits can be in any part of the browser, not just JavaScript. Though historically a lot of vulnerabilities have been in JavaScript. The links in this thread point to external "what's my IP" sites that you can ask the client to fetch -- but the fetch will go over Tor, so it will tell you a Tor exit relay's IP address. For more info on the Tor side, see https://trac.torproject.org/projects/tor/ticket/9387 including the line in https://blog.torproject.org/blog/tor-browser-36-beta-2-released where we're experimenting with disabling some Javascript implementation optimizations that have historically been the source of many vulnerabilities. and more broadly, https://www.torproject.org/docs/faq#TBBJavaScriptEnabled And yes, sandboxes and firewalls do seem like a great idea, for tolerating implementation (and heck, protocol) flaws. I'm glad people are working on making them both effective and usable. We need more people in the world working on that. --Roger -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
