building pages with tor in mind

[Ringo Kamens]

In addition, since js is a scripting language, it opens the hole to
computer vulnerabilities. HTML is simply a language used to display
things. Browsers take HTML and turn it into an array of images and
text. JavaScript can be used for other purposes such as making
connections to outside servers and because of its additional
abilities, the risk for vulnerabilities being discovered or existing
increases.
Ringo Kamens

On 2/27/07, James Muir <jamuir at scs.carleton.ca> wrote:
>
> Bryan Fordham wrote:
> >
> >
> >     I have yet to see an example of pure JavaScript code that can read an
> >     end-user's IP address.  Any code I've seen returns either
> >     "localhost" or
> >     "127.0.0.1 <http://127.0.0.1>".
> >
> >
> >
> > That's kind of the conclusion I've reached, though I'm far from an expert.
> >
> > So, if it can't read the IP, why is it a security risk? Because of
> cookies?
>
> The risk is that you become more trackable.  The more information you
> make available about your browser, plugins and OS, the easier it is for
> web servers to create a profile on you (i.e. a record of your previous
> actions).  If you have cookies enabled and never delete them, then it is
> really easy to profile you!  Perhaps during one visit to a web server
> you accidentally submit your name in a web form.  In that case, your
> identity can be linked to that profile (i.e. you can be held accountable
> for all your previous actions).
>
> I wrote a blog last year which explained some of this (although,
> re-reading it now, I see that a few of the details I wrote about Tor
> were incorrect):
>
> http://www.anonequity.org/weblog/archives/2006/03/escaping_your_h_1.php
>
> -James
>