By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,257 Members | 939 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,257 IT Pros & Developers. It's quick & easy.

Obtaining Client IP Address using *JavaScript ONLY* (was: So TOR is NOT really anonoymous!)

P: n/a
//crossposted to: comp.lang.javascript, alt.comp.lang.javascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser? This is NOT
a question about PHP, perl, VBScript, Java(.class), or ActiveX. Let us
_only_ deal with JavaScript for the sake of this post. Can someone
provide us (we, non-coders) with a definitive answer to this
perplexing question?

There has been a lot of speculation, assumption and good-intentioned
misinformation over the last 7 or 8 years in the privacy groups
concerning the (mis)use of JavaScript in obtaining the real IP address
of a user visiting a web page through an anonymous proxy.

As an example, most are aware Hotmail, Yahoo mail, Google 'gmail' -
all require JavaScript enabled in order to sign up for a free email
account. It has been the general consensus of many over the years that
the providers of these free email accounts are able to obtain the true
IP of the person applying, through the use of JavaScript.

If it is indeed possible to obtain one's real IP through JavaScript
only, could someone PLEASE post a link to a web site that
unequivocally demonstrates this? The only site that I've ever found
that even comes close is:

http://www.stilllistener.com/checkpoint1/Java/

Which states: "Below the text you have JavaScript, VBScript and JAVA
based graphic applications. If you are able to see any results of
these tests on this page, your real IP could be seen, regardless of
the use of an anonymous proxy as shown on the table below."

Which, in my opinion, is misleading as hell because if you (through a
true anonymous proxy or Tor) load that page with both Java &
JavaScript disabled and review the revealed information, and then ONLY
enable JavaScript and reload the page, you will see more detailed
information this time, BUT STILL NOT YOUR TRUE IP ADDRESS!

Anyone care to put this JavaScript argument to rest once and for all?

Aug 20 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
Privacy Advocate wrote:
//crossposted to: comp.lang.javascript, alt.comp.lang.javascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser?


No.

[...]

--
Rob
Aug 20 '05 #2

P: n/a
Zif
Privacy Advocate wrote:
//crossposted to: comp.lang.javascript, alt.comp.lang.javascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser? This is NOT
a question about PHP, perl, VBScript, Java(.class), or ActiveX. Let us
_only_ deal with JavaScript for the sake of this post. Can someone
provide us (we, non-coders) with a definitive answer to this
perplexing question?
No.

Let's define 'JavaScript' as Netscape's implementation of ECMAScript
Language, 'JScript' is Microsoft's implementation of it. VBScript and
ActiveX are Microsoft proprietary programming environments that have
nothing to do with ECMAScript and work only in IE on Windows.

Java is yet another technology that can be used within a browser. It
has nothing to do with JavaScript.

There has been a lot of speculation, assumption and good-intentioned
misinformation over the last 7 or 8 years in the privacy groups
concerning the (mis)use of JavaScript in obtaining the real IP address
of a user visiting a web page through an anonymous proxy.

As an example, most are aware Hotmail, Yahoo mail, Google 'gmail' -
all require JavaScript enabled in order to sign up for a free email
account. It has been the general consensus of many over the years that
the providers of these free email accounts are able to obtain the true
IP of the person applying, through the use of JavaScript.
It is possible in Mozilla based browsers using extensions to ECMAScript.
Try the following in Firefox (you may have to copy and paste the URL
into the address bar):

<URL:javascript:alert('Your IP address is: '
+java.net.InetAddress.getLocalHost().getHostAddres s());>

That has been possible since 1996 and Netscape 2.

If it is indeed possible to obtain one's real IP through JavaScript
only, could someone PLEASE post a link to a web site that
unequivocally demonstrates this? The only site that I've ever found
that even comes close is:

http://www.stilllistener.com/checkpoint1/Java/
That site uses Java applets (i.e. not JavaScript). It does not get the
client IP address, nor does it work if you use an anonymous proxy.
Compare the results of the following link to those from the one above:

<URL:http://anonymouse.org/cgi-bin/anon-www.cgi/http://www.stilllistener.com/checkpoint1/index.shtml>

Try here:

<URL:http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html#myIpAddress>

Which states: "Below the text you have JavaScript, VBScript and JAVA
based graphic applications. If you are able to see any results of
these tests on this page, your real IP could be seen, regardless of
the use of an anonymous proxy as shown on the table below."
The IP address assigned to an individual PC is of little use to anyone
outside your network.

Which, in my opinion, is misleading as hell because if you (through a
true anonymous proxy or Tor) load that page with both Java &
JavaScript disabled and review the revealed information, and then ONLY
enable JavaScript and reload the page, you will see more detailed
information this time, BUT STILL NOT YOUR TRUE IP ADDRESS!

Anyone care to put this JavaScript argument to rest once and for all?


The definitive answer is that JavaScript, on its own, can't do it.
Browser extensions can allow scripts to do it. They could send your IP
address back to a server.

The bigger question is what use is your 'real' IP address to anyone?
Probably less use than your name, address and phone number from a phone
book.

Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?
--
Zif
Aug 20 '05 #3

P: n/a
"Zif" <zi***@hotmail.com> skrev i meddelandet
news:43***********************@per-qv1-newsreader-01.iinet.net.au...
Privacy Advocate wrote: <snip dialogue>
The bigger question is what use is your 'real' IP address to anyone?
Probably less use than your name, address and phone number from a phone
book.

Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?


I believe in many countries, government agencies can order providers to
disclose which dialup account was assigned what IP number at a given time.
It could be about drugs - or it could be about undesirable political
activity.

--
Joakim Braun
Aug 20 '05 #4

P: n/a
ASM
Zif wrote:

It is possible in Mozilla based browsers using extensions to ECMAScript.
Try the following in Firefox (you may have to copy and paste the URL
into the address bar):

<URL:javascript:alert('Your IP address is: '
+java.net.InetAddress.getLocalHost().getHostAddres s());>
Tremendous ! that's work with my NC4.5 (and not with FF)

Of course I get my UC's IP (192.168.x.y)
which is certainly not the IP send by my FAI as explained further bellow
That has been possible since 1996 and Netscape 2.
Compare the results of the following link to those from the one above:

<URL:http://anonymouse.org/cgi-bin/anon-www.cgi/http://www.stilllistener.com/checkpoint1/index.shtml>
no result ... FF works in loop
to remember :
Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?


--
Stephane Moriaux et son [moins] vieux Mac
Aug 20 '05 #5

P: n/a
This is a Type III anonymous message, sent to you by the Mixminion
server at frell.theremailer.net. If you do not want to receive
anonymous messages, please contact ab***@frell.theremailer.net.

-----BEGIN TYPE III ANONYMOUS MESSAGE-----
Message-type: plaintext

In <43***********************@per-qv1-newsreader-01.iinet.net.au> Zif <zi***@hotmail.com> wrote:
Privacy Advocate wrote:
[snip]
The bigger question is what use is your 'real' IP address to anyone?
Probably less use than your name, address and phone number from a phone
book.

Your 'real' IP address is probably replicated thousands of times (most
are in the range 192.168.x.x or 10.1.x.x). If you use DNS on your local
network, then your 'real' IP address probably changes every time you
connect to the network (i.e. turn your PC on). Your IP address at your
ISP changes each time you connect with your modem - dialup, ADSL or other.

So what use is an address that is only valid for some random time from a
few minutes to a few days an is likely not unique?


'couple things here.

First, from a privacy point of view, the term 'Real I.P. address' refers to
the (usually dynamic) address assigned by your ISP when you connect to
the Internet. Not the technically 'Real' address on a particular LAN.

Second. In Email, Usenet postings, and activities on the web such as viewing
web pages, IRC and Chatrooms the user's I.P. address and the time of their
connection is easily retrievable from server logs, message headers etc. This
information can be used to determine the user's ISP and from there it's a
much smaller matter to get the user's identity from the ISP.

Privacy advocates don't care for this sort of thing, at least THIS privacy
advocate (me!) doesn't like it one bit. Another factor is that once your true
I.P. address is known, then it becomes possible for malware or malpeople
('Black hat' type hackers... the "bad guys") can begin an attack on the user's
system. (why is almost irrelevant, some do it simply because they can.)

True anonymous proxies like Tor (if used properly) make it impossible for
a person to exploit the knowledge of a target's I.P. address.)

-----END TYPE III ANONYMOUS MESSAGE-----
Aug 21 '05 #6

P: n/a
In article <43***********************@authen.white.readfreene ws.net>, Privacy Advocate wrote:
//crossposted to: comp.lang.javascript, alt.comp.lang.javascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser? This is NOT
a question about PHP, perl, VBScript, Java(.class), or ActiveX. Let us
_only_ deal with JavaScript for the sake of this post. Can someone
provide us (we, non-coders) with a definitive answer to this
perplexing question?
none of the above alone are capable of determining the real world IP of the
client... to do that (and be guaranteed success) you'd need to run traceroute
or similar on their machine.
As an example, most are aware Hotmail, Yahoo mail, Google 'gmail' -
all require JavaScript enabled in order to sign up for a free email
account. It has been the general consensus of many over the years that
the providers of these free email accounts are able to obtain the true
IP of the person applying, through the use of JavaScript.
I can access my yahoo mail using links (with ssl enabled) links doesn't do
javascipt.
If it is indeed possible to obtain one's real IP through JavaScript
only,


It's not. in many cases the browser doesn't have access to that information
(eg when it's on a lan behind a gateway....)
Bye.
Jasen
Aug 26 '05 #7

P: n/a
In article <43***********************@authen.white.readfreene ws.net>,
Privacy Advocate wrote:
//crossposted to: comp.lang.javascript, alt.comp.lang.javascript in an
effort to get factual answers from JavaScript experts//

Simply put; Is it possible to obtain the real (actual) IP address of
someone (client) that visits a web site through an anonymous proxy if
this person ONLY has JavaScript enabled in their browser?


First I tried without using the Tor/Privoxy combo.

java turned off
javascript turned off

http://www.stilllistener.com/checkpoint1/java - does not see my ip
http://whatismyip.com - sees my ip
java turned off
javascript turned on

http://www.stilllistener.com/checkpoint1/java - does not see my ip, but
sees lots of other interesting stuff about my pc

http://whatismyip.com - sees my ip

java turned on
javascript turned off

http://www.stilllistener.com/checkpoint1/java - sees my ip
http://whatismyip.com - sees my ip

Then I tried it with Tor/Privoxy running

java turned off
javascript turned off

http://www.stilllistener.com/checkpoint1/java - does not see my ip
http://whatismyip.com - does not see my ip
java turned on
javascript turned on

http://www.stilllistener.com/checkpoint1/java - sees my ip
http://whatismyip.com - does not see my ip
java turned on
javascript turned off

http://www.stilllistener.com/checkpoint1/java - sees my ip
http://whatismyip.com - does not see my ip
java turned off
javascript turned on

http://www.stilllistener.com/checkpoint1/java - does not see my ip but
sees lots of interesting stuff about my pc

http://whatismyip.com - does not see my ip
Aug 27 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.