Web-based leaks

Your web browser leaks a frighteningly large amount of information about you. For example, even after you protect yourself by concealing your IP address through Tor, it is still possible for someone to use a Java program to obtain your actual source IP and hostname. And this is only the beginning. An excellent test utility to test all the different types of information that can be obtained from your browser is available at BrowserSpy. Most of these can be handled by the excellent Firefox extension NoScript. You are encouraged to test out your browser there in addition to looking over the following material.


Cookies can be used to track your web usage across even a Tor session, where each connection originates from a different IP. This can be both a blessing and a curse. A blessing because if you are actually logged in, you usually won't have to keep doing so. But a curse in that if someone then obtains your computer, they can use the cookie values to prove you were at a given website at a given time. They are also extremely dangerous if you have a tendency to turn off Tor or your proxy config from time to time, and then wander back to a site that has a unique ID for you.

In particular, sites with ad banners can catch you off guard, since often they can have a small ad banner with a piece of javascript you don't notice. If they set a cookie in this banner, they can easily correlate your Tor traffic with your non-Tor traffic. For sites like these, the best thing you can do allow cookies from the originating website only in your web browser preferences window.

There also are a few Firefox extensions you can use to mitigate an arbitrary site's ability to track you via cookies. The first, Cookie Culler provides a toolbar button that allows you to purge all but selected "protected" cookies, and also provides you with the option of blocking cookies you have deleted before. Add N' Edit Cookies will allow you to search for cookies by site, modify, remove, and add them. Also useful is CookieButton, which is a handy toolbar option that allows you do access control and clear cookies for a given site right off of the toolbar. You can permanently disable cookies for entire domains, such as doubleclick.net or google.com.

Browser User Agent And Capability Info

Sometimes a very unique User Agent string (Ex: "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 RealMedia 1.1.3") can be a giveaway. How many people will have that Gecko build date combined with that version RealMedia? On Linux? The solution is the User Agent Switcher, which will allow you to set your user agent to whatever you wish (be sure to pick something common to avoid fragmenting your anonymity set). Be sure to check the "Reset User Agent When Browser Closes" option, or bad things will happen. Even still, you may find yourself stuck with a browser that doesn't want to start. In which case, you might have to edit prefs.js by hand, and remove all the lines that contain "agent".. It's been a while since this has happened for me, so perhaps they've finally gotten all the edge cases where it can exit with the wrong agent set.

As mentioned above, another possibility is a malicious site can use Javascript to detect all sorts of information about your browser. This can also be used to track you. The best defense against this is to use NoScript.

Referrer Url

Likewise, your referrer can be used to track your session path from page to page as well. In order to prevent Firefox from transmitting referrer information, go to about:config and set network.http.sendRefererHeader to the value 0.

Tab Mix Plus can also be used to block referrer forwarding for the lifetime of any given tab. Simply right click on the tab, and go down to Permissions. The option to block referrer is there, along with several other options we will use later.

Sometimes, however, it is useful to outright lie about where you came from. For example, if you frequently visit your own blog/website by typing in the URL, those visits are distinguishable by the lack of referrer URL. In those instances, you may wish to use refspoof instead. Refspoof adds the ability to specify your referrer in a URL. For example, spoof://nytimes.com;ref://google.com connects you to the New York Times, making them think you came from google.

Browser History

This should be obvious. Delete your browser history, cache, cookies and other personal information after doing sensitive things. A frightening javascript hack can actually reveal if you have been to select sites, which can be used to fingerprint you. The best way to deal with this is to run NoScript.

Web bugs

A common technique (used by the FBI and others) to discover someone's identity is to send them an email with an image or some other document attribute that their email client or browser will attempt to load. Usually, this image will be located on a server that the sender controls, which means they will then have your IP address once your browser makes the connection. Of course, for normal images, these will obey your proxy settings. However, note that even using Tor is sometimes insufficient. Make sure your proxy settings have an entry for FTP, especially.

You need to be particularly careful about Java plugins. Have a look at this clever java applet that turned up at this odd website. This is an improvement on previous Java bugs in that it is able to select one of several potential ways to make an external internet connection and bypass your proxy settings based on capability information provided by the JVM. Even if the JVM has been secured (most, including Sun's, are not), it can still query the local interface of your machine and get the IP address without even making an internet connection. It then submits results back to the server that served the applet. In the case where the JVM is not secure, the JVM will IGNORE YOUR PROXY SETTINGS AND MAKE A DIRECT CONNECTION TO THE ORIGINAL WEBSITE.

You basically have two options when dealing with web bugs of this nature. One is to install the NoScript Firefox Extension, which allows you to whitelist Java, Javascript, and Flash objects on an as-needed basis. This is the recommended option, as it covers all your bases all the time unless you say so. The one downfall is that if you enable permissions on a site, you enable it for everything. This means that if you enable Javascript for your email provider (most don't work too well without it), and they do not scrub HTML properly, someone could still feed you this Java applet. According to the NoScript Website, the ability to split permissions for Java from Javascript is being developed for an upcoming release. Your best bet until then is to globally disable Java from your Firefox preferences.

The other option is to use Tab Mix Plus tab permissions to disable plugins on the current tab (right click on the tab). You get finer granularity here, but your choice only persists in the current tab. This is annoying and easy to forget.

Also be aware that some media objects can reveal your IP address, depending on how the plugin was written. On Windows, I have tested Windows Media Player, Realplayer, Quicktime, and Flashplayer. Of those, I have discovered that only Realplayer did not honor proxy settings, since it launched an entirely new application. I have tested mplayer-plugin and Flash on Linux, and unfortunately the mplayer plugin does not obey browser proxy settings (but does obey the http_proxy environment variable). In general, the best way to determine if a plugin/media type is obeying your proxy settings is to use Ethereal to watch network traffic. The display filter tcp.port == 80 or tcp.port == 443 can make it easier to find traffic that is bypassing Tor, though note that some media apps will use other ports and possibly even UDP.

Desktop and Web Browser Extensions

The major threat with web browser extensions and desktop plugins is that they will transmit a unique user id over the same Tor circuit that you happen to be using to anonymously access a website. Weather monitoring extensions are particularly dangerous because they can transmit zip codes or even address information to retrieve local weather conditions. Likewise for link collection services such as delicious, stumbleupon, and flickr.

It is also possible to install a malicious Firefox extension to track your whereabouts on the web. The most surefire way to watch for this is to manually view the Extensions.rdf file in your extensions directory under your Firefox profile. Each cryptically named subdirectory of the extensions directory should have an entry in the RDF file. Make sure that the plugin name is something you remember installing.