-2

When using a vpn, proxy etc to hide your IP, if you, as an example, login securely to a bank website, they will (or can) obtain your real IP contained in the encrypted data. Likewise, any SSL secured webpage has access to your real IP don't they. To me this apparent universal oversight, seems worrying for those attempting anonymity online. Is this correct?

user93738
  • 5
  • 1
  • 1
    Security and Anonymity are two different things. Security often depends highly on not having anonymity between the two communicating parties. It's what authentication is about. – Fiasco Labs Dec 05 '15 at 06:07
  • Thanks everyone for your comments. One of my concerns is that recently almost all browsers have removed the user's ability to switch Ssl/Tls off. And again almost all search engines require ssl. I read specifically that a bank stored the clients IP at the user end for authentication which was then encrypted safely, sent to them, and they could access the IP their end. So I assumed this was the usual practice with SSL communication. My interest is anonymity both through network sniffing and from sites visited. As far as I can tell it seems a fairly unknown risk for anonymity online, as using pl – user93738 Dec 06 '15 at 10:09

5 Answers5

6

No. Online anonymity is compromised by a lot of other things.

SSL is there to prevent people from snooping on the contents of your connection, and to verify you're connecting to the correct host.

While a man-in-the-middle attack may still be performed, the attacker will not typically be able to read the contents.

SSL is not there to make you anonymous when visiting a website. It's there to encrypt the contents of your connection. Example:

  1. No SSL
    • Dovid is talking to Simon, but someone is snooping on their connection.
    • Dovid: Hi, Simon!
    • Simon sees: Hi, Simon!
    • Attacker sees: Hi, Simon!
  2. With SSL
    • Dovid is talking to Simon, but someone is snooping on their connection.
    • Dovid: Hi, Simon!
    • Simon sees: Hi, Simon!
    • Attacker sees: vdO2KVfFbvPuK30YxZ7luUDORbJdwGc9uXp (fake string as an example)

Furthermore, having your IP address attached to any connection is required to get a response back. How will the person you're contacting know who to reply to if they don't know where you're coming from?

Better yet, if you receive a letter in the mail without a return address on it, how will you respond? The same concept applies with the internet protocol.

Community
  • 1
Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
6

HTTPS is not a tool to hide who you are, it is a tool to hide what you are saying. The purpose of SSL is to establish a secure means of communication between a client and a server. If you want anonymity then you need to use something like Tor with HTTPS.

The EFF has a neat site that explains how you can hide who you are, as well as what you are saying. It also shows what happens if you only use Tor or HTTPS without the other.

To get a really easy example of what things are like without SSL, run wireshark and then try logging into something over HTTP (home routers are notorious for this). When you inspect the HTTP packet you will see your credentials in plaintext. If SSL is used then this isnt possible unless you had established a MITM before the client and server formed their secure communication!

Your browser also leaks a lot of data while you are browsing so the fact that someone can see your IP is the least of your worries. In fact these methods are so powerful you can use them to fingerprint users even if they are on Tor.

pureooze
  • 324
  • 1
  • 6
5

When using a vpn, proxy etc to hide your IP, ... they will (or can) obtain your real IP contained in the encrypted data.

It is not true that SSL will contain your real IP address in the encrypted data. SSL will only contain the data sent by the browser and the real IP is usually not one of them. The IP will be contained in the unencrypted data though but only in the connection to the VPN. This is needed to get data back from the VPN. But the server you access through VPN will only see the IP address of the VPN, not yours.

That does not mean that it is impossible for a server to get knowledge of your real IP address. There are techniques like WebRTC which can be helpful to get this IP address and therefore these techniques are disabled in the Tor browser bundle where they care about anonymity. But this is completely unrelated to SSL.

To me this apparent universal oversight, seems worrying for those attempting anonymity online. Is this correct?

SSL is intended to secure the connection against sniffing and tampering and insofar provides a bit more privacy. But privacy is not the main aspect of SSL, encryption and tamper resistance is. Please don't assume that anything which provides some security also increases privacy because often it does not. In lots of cases more security even can have a negative impact to privacy, just look at all the data collection they do to find terrorists.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

No. SSL/TLS increases the privacy of your data through encryption. The encryption technology is not responsible for disclosure of your IP address.

Specifically, SSL/TLS exists at the application layer of the OSI model whereas IP addresses are disclosed at the network layer. Thus, the disclosure of your IP address is common across all applications communicating via the IP protocol.

Other methods exist to prevent disclosure of your IP address to certain parties. Onion routing is an especially good example of this.

Austin Hartzheim
  • 1,581
  • 11
  • 15
-4

For those attempting anonymity online the only "safe" way to do it is to be paranoid. Here's how the "pros" do it.

First you have to build a completely fake persona, and memorize it. Then you have to obtain some laptop from some cash-and-go place like a pawnshop or a craigslist transaction because if they get a 'bot on your laptop when your using it they can get the serial number and go back to the manufacturer and trace it to the retailer and subpoena to get your name. Then you have to nuke and repave the laptop and use your fake persona. Then you have to take the laptop to some "public access wifi" place and use it there. Once you have used it, keep it powered off unless you are at your wifi signal place. Oh and don't drive your car there because they might have security cameras going that will record your license plate. And go to a different wifi place each time because once you post your manifesto they will put a plainclothes detective in a car watching the wifi place. And don't forget to construct a hat out of aluminum foil to block the brainwave scanners.

user93741
  • 1
  • I dont think it is tinfoil hat of the OP to wonder why SSL is showing the source IP at the destination. Its a common misconception if you are not familiar with networking. It also doesnt help that SSL is sometimes sold as a magic, fix all your security problems technology by some people/organizations where it simply is not that. – pureooze Dec 05 '15 at 06:07
  • This is cute, but it won't work in the USA. ;) – Mark Buffalo Dec 05 '15 at 06:12
  • 1
    A tin foil hat block a lot of things, including job offers and marriage proposals, but one thing it does not block is a brainwave reader, assuming such a thing existed; [this paraphrased from Physics.SE.](http://physics.stackexchange.com/questions/208516/can-tin-foil-hats-block-anything) – timuzhti Dec 05 '15 at 07:55
  • Even if the OP did what you suggest, you still don't address concerns about SSL and privacy. – Neil Smithline Dec 05 '15 at 17:10