473,695 Members | 2,798 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Obtaining Client IP Address using *JavaScript ONLY* (was: So TOR is NOT really anonoymous!)

//crossposted to: comp.lang.javas cript, alt.comp.lang.j avascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser? This is NOT
a question about PHP, perl, VBScript, Java(.class), or ActiveX. Let us
_only_ deal with JavaScript for the sake of this post. Can someone
provide us (we, non-coders) with a definitive answer to this
perplexing question?

There has been a lot of speculation, assumption and good-intentioned
misinformation over the last 7 or 8 years in the privacy groups
concerning the (mis)use of JavaScript in obtaining the real IP address
of a user visiting a web page through an anonymous proxy.

As an example, most are aware Hotmail, Yahoo mail, Google 'gmail' -
all require JavaScript enabled in order to sign up for a free email
account. It has been the general consensus of many over the years that
the providers of these free email accounts are able to obtain the true
IP of the person applying, through the use of JavaScript.

If it is indeed possible to obtain one's real IP through JavaScript
only, could someone PLEASE post a link to a web site that
unequivocally demonstrates this? The only site that I've ever found
that even comes close is:

http://www.stilllistener.com/checkpoint1/Java/

Which states: "Below the text you have JavaScript, VBScript and JAVA
based graphic applications. If you are able to see any results of
these tests on this page, your real IP could be seen, regardless of
the use of an anonymous proxy as shown on the table below."

Which, in my opinion, is misleading as hell because if you (through a
true anonymous proxy or Tor) load that page with both Java &
JavaScript disabled and review the revealed information, and then ONLY
enable JavaScript and reload the page, you will see more detailed
information this time, BUT STILL NOT YOUR TRUE IP ADDRESS!

Anyone care to put this JavaScript argument to rest once and for all?

Aug 20 '05 #1
7 21301
Privacy Advocate wrote:
//crossposted to: comp.lang.javas cript, alt.comp.lang.j avascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser?


No.

[...]

--
Rob
Aug 20 '05 #2
Zif
Privacy Advocate wrote:
//crossposted to: comp.lang.javas cript, alt.comp.lang.j avascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser? This is NOT
a question about PHP, perl, VBScript, Java(.class), or ActiveX. Let us
_only_ deal with JavaScript for the sake of this post. Can someone
provide us (we, non-coders) with a definitive answer to this
perplexing question?
No.

Let's define 'JavaScript' as Netscape's implementation of ECMAScript
Language, 'JScript' is Microsoft's implementation of it. VBScript and
ActiveX are Microsoft proprietary programming environments that have
nothing to do with ECMAScript and work only in IE on Windows.

Java is yet another technology that can be used within a browser. It
has nothing to do with JavaScript.

There has been a lot of speculation, assumption and good-intentioned
misinformation over the last 7 or 8 years in the privacy groups
concerning the (mis)use of JavaScript in obtaining the real IP address
of a user visiting a web page through an anonymous proxy.

As an example, most are aware Hotmail, Yahoo mail, Google 'gmail' -
all require JavaScript enabled in order to sign up for a free email
account. It has been the general consensus of many over the years that
the providers of these free email accounts are able to obtain the true
IP of the person applying, through the use of JavaScript.
It is possible in Mozilla based browsers using extensions to ECMAScript.
Try the following in Firefox (you may have to copy and paste the URL
into the address bar):

<URL:javascript :alert('Your IP address is: '
+java.net.InetA ddress.getLocal Host().getHostA ddress());>

That has been possible since 1996 and Netscape 2.

If it is indeed possible to obtain one's real IP through JavaScript
only, could someone PLEASE post a link to a web site that
unequivocally demonstrates this? The only site that I've ever found
that even comes close is:

http://www.stilllistener.com/checkpoint1/Java/
That site uses Java applets (i.e. not JavaScript). It does not get the
client IP address, nor does it work if you use an anonymous proxy.
Compare the results of the following link to those from the one above:

<URL:http://anonymouse.org/cgi-bin/anon-www.cgi/http://www.stilllisten er.com/checkpoint1/index.shtml>

Try here:

<URL:http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html#myIpA ddress>

Which states: "Below the text you have JavaScript, VBScript and JAVA
based graphic applications. If you are able to see any results of
these tests on this page, your real IP could be seen, regardless of
the use of an anonymous proxy as shown on the table below."
The IP address assigned to an individual PC is of little use to anyone
outside your network.

Which, in my opinion, is misleading as hell because if you (through a
true anonymous proxy or Tor) load that page with both Java &
JavaScript disabled and review the revealed information, and then ONLY
enable JavaScript and reload the page, you will see more detailed
information this time, BUT STILL NOT YOUR TRUE IP ADDRESS!

Anyone care to put this JavaScript argument to rest once and for all?


The definitive answer is that JavaScript, on its own, can't do it.
Browser extensions can allow scripts to do it. They could send your IP
address back to a server.

The bigger question is what use is your 'real' IP address to anyone?
Probably less use than your name, address and phone number from a phone
book.

Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?
--
Zif
Aug 20 '05 #3
"Zif" <zi***@hotmail. com> skrev i meddelandet
news:43******** *************** @per-qv1-newsreader-01.iinet.net.au ...
Privacy Advocate wrote: <snip dialogue>
The bigger question is what use is your 'real' IP address to anyone?
Probably less use than your name, address and phone number from a phone
book.

Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?


I believe in many countries, government agencies can order providers to
disclose which dialup account was assigned what IP number at a given time.
It could be about drugs - or it could be about undesirable political
activity.

--
Joakim Braun
Aug 20 '05 #4
ASM
Zif wrote:

It is possible in Mozilla based browsers using extensions to ECMAScript.
Try the following in Firefox (you may have to copy and paste the URL
into the address bar):

<URL:javascript :alert('Your IP address is: '
+java.net.InetA ddress.getLocal Host().getHostA ddress());>
Tremendous ! that's work with my NC4.5 (and not with FF)

Of course I get my UC's IP (192.168.x.y)
which is certainly not the IP send by my FAI as explained further bellow
That has been possible since 1996 and Netscape 2.
Compare the results of the following link to those from the one above:

<URL:http://anonymouse.org/cgi-bin/anon-www.cgi/http://www.stilllisten er.com/checkpoint1/index.shtml>
no result ... FF works in loop
to remember :
Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?


--
Stephane Moriaux et son [moins] vieux Mac
Aug 20 '05 #5
This is a Type III anonymous message, sent to you by the Mixminion
server at frell.theremail er.net. If you do not want to receive
anonymous messages, please contact ab***@frell.the remailer.net.

-----BEGIN TYPE III ANONYMOUS MESSAGE-----
Message-type: plaintext

In <43************ ***********@per-qv1-newsreader-01.iinet.net.au > Zif <zi***@hotmail. com> wrote:
Privacy Advocate wrote:
[snip]
The bigger question is what use is your 'real' IP address to anyone?
Probably less use than your name, address and phone number from a phone
book.

Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?


'couple things here.

First, from a privacy point of view, the term 'Real I.P. address' refers to
the (usually dynamic) address assigned by your ISP when you connect to
the Internet. Not the technically 'Real' address on a particular LAN.

Second. In Email, Usenet postings, and activities on the web such as viewing
web pages, IRC and Chatrooms the user's I.P. address and the time of their
connection is easily retrievable from server logs, message headers etc. This
information can be used to determine the user's ISP and from there it's a
much smaller matter to get the user's identity from the ISP.

Privacy advocates don't care for this sort of thing, at least THIS privacy
advocate (me!) doesn't like it one bit. Another factor is that once your true
I.P. address is known, then it becomes possible for malware or malpeople
('Black hat' type hackers... the "bad guys") can begin an attack on the user's
system. (why is almost irrelevant, some do it simply because they can.)

True anonymous proxies like Tor (if used properly) make it impossible for
a person to exploit the knowledge of a target's I.P. address.)

-----END TYPE III ANONYMOUS MESSAGE-----
Aug 21 '05 #6
In article <43************ ***********@aut hen.white.readf reenews.net>, Privacy Advocate wrote:
//crossposted to: comp.lang.javas cript, alt.comp.lang.j avascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser? This is NOT
a question about PHP, perl, VBScript, Java(.class), or ActiveX. Let us
_only_ deal with JavaScript for the sake of this post. Can someone
provide us (we, non-coders) with a definitive answer to this
perplexing question?
none of the above alone are capable of determining the real world IP of the
client... to do that (and be guaranteed success) you'd need to run traceroute
or similar on their machine.
As an example, most are aware Hotmail, Yahoo mail, Google 'gmail' -
all require JavaScript enabled in order to sign up for a free email
account. It has been the general consensus of many over the years that
the providers of these free email accounts are able to obtain the true
IP of the person applying, through the use of JavaScript.
I can access my yahoo mail using links (with ssl enabled) links doesn't do
javascipt.
If it is indeed possible to obtain one's real IP through JavaScript
only,


It's not. in many cases the browser doesn't have access to that information
(eg when it's on a lan behind a gateway....)
Bye.
Jasen
Aug 26 '05 #7
In article <43************ ***********@aut hen.white.readf reenews.net>,
Privacy Advocate wrote:
//crossposted to: comp.lang.javas cript, alt.comp.lang.j avascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser?


First I tried without using the Tor/Privoxy combo.

java turned off
javascript turned off

http://www.stilllistener.com/checkpoint1/java - does not see my ip
http://whatismyip.com - sees my ip
java turned off
javascript turned on

http://www.stilllistener.com/checkpoint1/java - does not see my ip, but
sees lots of other interesting stuff about my pc

http://whatismyip.com - sees my ip

java turned on
javascript turned off

http://www.stilllistener.com/checkpoint1/java - sees my ip
http://whatismyip.com - sees my ip

Then I tried it with Tor/Privoxy running

java turned off
javascript turned off

http://www.stilllistener.com/checkpoint1/java - does not see my ip
http://whatismyip.com - does not see my ip
java turned on
javascript turned on

http://www.stilllistener.com/checkpoint1/java - sees my ip
http://whatismyip.com - does not see my ip
java turned on
javascript turned off

http://www.stilllistener.com/checkpoint1/java - sees my ip
http://whatismyip.com - does not see my ip
java turned off
javascript turned on

http://www.stilllistener.com/checkpoint1/java - does not see my ip but
sees lots of interesting stuff about my pc

http://whatismyip.com - does not see my ip
Aug 27 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
13315
by: Larry R. Baker | last post by:
Is it possible to grab a client side IP Address using JavaScript in an htm page? I have a web page hosted on a non-ASP server and I want a piece of code in JavaScript to grab the IP address of the client and send it to a web page on another server. The other page will be ASP. I need this for both Netscape and IE browsers. Any ideas?
7
50894
by: Doug van Vianen | last post by:
I recently found the following JavaScript code which is supposed to let one find then use the ip address of the person accessing the web page containing the script. <SCRIPT LANGUAGE="JavaScript"> <!-- var ip = '<!--#echo var="REMOTE_ADDR"-->'; function ipval() { document.myform.ipadd.value=ip;
2
25183
by: Vanitha | last post by:
Hi All, Is it possible to get the Server IP Address from Javascript ie., when the user types "http://10.0.0.10/main.htm" in the web browser, i need to retrive the value of the IP Address(10.0.0.10) from my client side javascript.
2
2619
by: jcvoon | last post by:
Hi: It is possible to send a downloaded pdf file to fax printer using javascript ? something like this, but i can't make the following code work. function FaxDocument() { var faxServer = new ActiveXObject("FAXCOMLIB.FaxServer");
2
2242
by: krev | last post by:
Is is possible to check the version of a software installed in client system using javascript?
4
2966
by: pskvenkat | last post by:
Hi this is venkat, i have a drop downlist for country, i composed a code in javascript for that and its working in HTML page but i dont know how to call the same javascript function in asp.net(C#) dropdownlist. please advice me and send me code for how to call the function..
9
8103
by: shailaja.sheel | last post by:
Hi , This is my first attempt to do some html/javascript programming and I am totally lost. I have a questionaire form and when user clicks Submit, I want to save the data in XML file on client side. User will then sync all these xml files to a PC later. From all the research I have done so far, its being indicated that client side file creation is not possible - is that true? If yes, then I have a huge problem - is there anyway I can...
3
5479
by: malathib | last post by:
Hi, In my web application, in one of the screen when the user clicks on one link, it has to open a folder that was located in server in client side.
0
8619
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, weíll explore What is ONU, What Is Router, ONU & Routerís main usage, and What is the difference between ONU and Router. Letís take a closer look ! Part I. Meaning of...
0
8559
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9112
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8818
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
5832
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4338
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4575
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
2261
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
1971
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.