Re: Obtaining Client IP Address using *JavaScript ONLY* (was: SoTOR is NOT really anonoymous!)

Privacy Advocate wrote:

Quote:

//crossposted to: comp.lang.javascript, alt.comp.lang.javascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser? This is NOT
a question about PHP, perl, VBScript, Java(.class), or ActiveX. Let us
_only_ deal with JavaScript for the sake of this post. Can someone
provide us (we, non-coders) with a definitive answer to this
perplexing question?

No.

Let's define 'JavaScript' as Netscape's implementation of ECMAScript
Language, 'JScript' is Microsoft's implementation of it. VBScript and
ActiveX are Microsoft proprietary programming environments that have
nothing to do with ECMAScript and work only in IE on Windows.

Java is yet another technology that can be used within a browser. It
has nothing to do with JavaScript.

Quote:

There has been a lot of speculation, assumption and good-intentioned
misinformation over the last 7 or 8 years in the privacy groups
concerning the (mis)use of JavaScript in obtaining the real IP address
of a user visiting a web page through an anonymous proxy.

As an example, most are aware Hotmail, Yahoo mail, Google 'gmail' -
all require JavaScript enabled in order to sign up for a free email
account. It has been the general consensus of many over the years that
the providers of these free email accounts are able to obtain the true
IP of the person applying, through the use of JavaScript.

It is possible in Mozilla based browsers using extensions to ECMAScript.
Try the following in Firefox (you may have to copy and paste the URL
into the address bar):

<URL:javascript:alert('Your IP address is: '
+java.net.InetAddress.getLocalHost().getHostAddres s());>

That has been possible since 1996 and Netscape 2.

Quote:

If it is indeed possible to obtain one's real IP through JavaScript
only, could someone PLEASE post a link to a web site that
unequivocally demonstrates this? The only site that I've ever found
that even comes close is:

http://www.stilllistener.com/checkpoint1/Java/

That site uses Java applets (i.e. not JavaScript). It does not get the
client IP address, nor does it work if you use an anonymous proxy.
Compare the results of the following link to those from the one above:

<URL:http://anonymouse.org/cgi-bin/anon-www.cgi/http://www.stilllistener.com/checkpoint1/index.shtml>

Try here:

<URL:http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html#myIpAddress>

Quote:

Which states: "Below the text you have JavaScript, VBScript and JAVA
based graphic applications. If you are able to see any results of
these tests on this page, your real IP could be seen, regardless of
the use of an anonymous proxy as shown on the table below."

The IP address assigned to an individual PC is of little use to anyone
outside your network.

Quote:

Which, in my opinion, is misleading as hell because if you (through a
true anonymous proxy or Tor) load that page with both Java &
JavaScript disabled and review the revealed information, and then ONLY
enable JavaScript and reload the page, you will see more detailed
information this time, BUT STILL NOT YOUR TRUE IP ADDRESS!

Anyone care to put this JavaScript argument to rest once and for all?

The definitive answer is that JavaScript, on its own, can't do it.
Browser extensions can allow scripts to do it. They could send your IP
address back to a server.

The bigger question is what use is your 'real' IP address to anyone?
Probably less use than your name, address and phone number from a phone
book.

Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?


--
Zif

Zif wrote:

Quote:

It is possible in Mozilla based browsers using extensions to ECMAScript.
Try the following in Firefox (you may have to copy and paste the URL
into the address bar):

URL:javascript:alert('Your IP address is: '
+java.net.InetAddress.getLocalHost().getHostAddres s());

Tremendous ! that's work with my NC4.5 (and not with FF)

Of course I get my UC's IP (192.168.x.y)
which is certainly not the IP send by my FAI as explained further bellow

Quote:

That has been possible since 1996 and Netscape 2.

Quote:

Compare the results of the following link to those from the one above:

URL:http://anonymouse.org/cgi-bin/anon-w...t1/index.shtml

no result ... FF works in loop


to remember :

Quote:

Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?

--
Stephane Moriaux et son [moins] vieux Mac

This is a Type III anonymous message, sent to you by the Mixminion
server at frell.theremailer.net. If you do not want to receive
anonymous messages, please contact abuse (AT) frell (DOT) theremailer.net.

-----BEGIN TYPE III ANONYMOUS MESSAGE-----
Message-type: plaintext

In <4306ccb1$0$21046$5a62ac22 (AT) per-qv1-newsreader-01 (DOT) iinet.net.au> Zif <zifud (AT) hotmail (DOT) com> wrote:

Quote:

Privacy Advocate wrote:

[snip]

Quote:

The bigger question is what use is your 'real' IP address to anyone?
Probably less use than your name, address and phone number from a phone
book.

Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?

'couple things here.

First, from a privacy point of view, the term 'Real I.P. address' refers to
the (usually dynamic) address assigned by your ISP when you connect to
the Internet. Not the technically 'Real' address on a particular LAN.

Second. In Email, Usenet postings, and activities on the web such as viewing
web pages, IRC and Chatrooms the user's I.P. address and the time of their
connection is easily retrievable from server logs, message headers etc. This
information can be used to determine the user's ISP and from there it's a
much smaller matter to get the user's identity from the ISP.

Privacy advocates don't care for this sort of thing, at least THIS privacy
advocate (me!) doesn't like it one bit. Another factor is that once your true
I.P. address is known, then it becomes possible for malware or malpeople
('Black hat' type hackers... the "bad guys") can begin an attack on the user's
system. (why is almost irrelevant, some do it simply because they can.)

True anonymous proxies like Tor (if used properly) make it impossible for
a person to exploit the knowledge of a target's I.P. address.)

-----END TYPE III ANONYMOUS MESSAGE-----