0

This article claims that allowing javascript must be treated as a potential security hole on anything (inside or outside Tor). So, the best we can do is hope that ProtonMail doesn't become evil?

How exactly does this work? How can they find out our real IP address? Does this depend on finding a 0-day exploit?

And if they (ProtonMail, or really any other website) do try to snoop on us, it should be visible in the JS source code right? But JS can be obscured, so how exactly can an average user find out if a website is attempting to figure out the real IP address (inside or outside Tor)?

Dokli
  • 9
  • 1

1 Answers1

1

As mentionned by @schroeder, this is purely about Javascript, not about any specific app that involves Javascript.

One practical example of how Javascript can be used to de-cloak a tor user is by using WebRTC (see https://thehackernews.com/2015/02/webrtc-leaks-vpn-ip-address.html). Javascript is at issue because it is used to build the WebRTC connection (see https://hpbn.co/webrtc/ for a great overview of WebRTC).

Another is the use of GeoLocation APIs built into browsers, which again, are intended to be queried via Javascript (see for example https://www.w3schools.com/html/html5_geolocation.asp). That API would typically fallback to using IP based location as a last resort, but often prefers other sources (such as visible access points, GPS, etc).

There are other examples involving Flash, possibly Java, and no doubt a whole laundry list of other things.

You can (generally) profile javascript (via your browser's developper/debug mode - which you can typically access by hitting F12), and most browsers will also provide you a way of inspecting what connections are made by your browser when processing a page.

Generally, prevention is far preferrable to detection, so doing things like disallowing/restricting Javascript, disabling WebRTC globally, not, ever, under any circumstances allowing flash or java in your browser , are probably your best bet.

iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24