How did Boris manage to get users IPs? - old post on trisquel forum

12 réponses [Dernière contribution]
SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

I was recently reading some old posts on this forum when I came across this

https://trisquel.info/en/forum/i-can-easily-steal-your-privacy-data-even-disabled-cookies-and-javascripts

Now, this dude wants you to click on a link (a gif) and he is able to get your ip and user agent.. this is no magic, nothing new - it is trivial.

The thing that got my attention though is that if you check the https connection of the first two pages of that post, you see that the connection is marked as non-secure/non-verified. Can someone explain me why is this?

Another thing - at some point, this young Boris-dude (i assume he's russian because of his english skills and the page he wants you to click) posts yet another ip address and this one is the ip address of the current visitor (go there and you'll see that your current ip is on the page)
How did he manage this? I'm really curious..

regards

andrew
Hors ligne
A rejoint: 04/19/2012

> The thing that got my attention though is that if you check the
> https connection of the first two pages of that post, you see that
> the connection is marked as non-secure/non-verified. Can someone
> explain me why is this?

The user embedded an image in the HTML of his/her post, which is
unfortunately possible with Drupal.

> Another thing - at some point, this young Boris-dude (i assume he's
> russian because of his english skills and the page he wants you to
> click) posts yet another ip address and this one is the ip address
> of the current visitor (go there and you'll see that your current ip
> is on the page) How did he manage this? I'm really curious..

I'm not sure if I understand.

To be honest, the post was a bit of a troll anyway. It only points out
that HTTP is a bad protocol that leaks a lot of information about a
user (unless of course the user is using Tor where all users appear have
the same browser, user-agent, etc. and the IP address is that of a Tor
exit node, not the user).

Andrew

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

andrew - I see, drupal; didn't know that - it is scary!!

The part you don't understand - the young troll posts several users' ips - and if you look at some point you' ll find the ip you are on right now in this moment - drupal also?

Chris

I am a member!

Hors ligne
A rejoint: 04/23/2011

I think it's a bit of a misconception to say Drupal is scary. It's more like Drupal is part of a system of many that allow scary stuff to happen. Just about any web site which allows users to post will allow the users to post content hosted on third party sites and/or link to third party sites where ones IP address can be discovered by other users. This is one good example of why it is important to install the security updates that Trisquel passes to you.

Chris

I am a member!

Hors ligne
A rejoint: 04/23/2011

I think it's a bit of a misconception to say Drupal is scary. It's more like Drupal is part of a system of many that allow scary stuff to happen. Just about any web site which allows users to post will allow the users to post content hosted on third party sites and/or link to third party sites where ones IP address can be discovered by other users. This is one good example of why it is important to install the security updates that Trisquel passes to you.

Magic Banana

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/24/2010

Like I did in https://trisquel.info/fr/forum/i-can-easily-steal-your-privacy-data-even-disabled-cookies-and-javascripts#comment-35748 I would not agree that the user agent string and the IP are private data. If you believe they are, you can respectively change the user agent string (the easiest way is through an extension to the browser) and use a proxy (Tor including), which solves as well the previous concern. Not having a uniquely identifiable agent string actually is a good idea if you care about your privacy.

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

magic - I know about useragent - you can change it by override in about:conf or use blender- I get 13 bits in panopticlick. If I want I can do further changes in the firefox advanced setting and get 8.4 ..

but that's not the point - the point is that Boris was able to put his code on the trisquel forum using drupal or whatever - this is scary. I mean, if this dude manages to do this immagine what an expert is able to do!

quantumgravity
Hors ligne
A rejoint: 04/22/2013

As far as i know, you can use basic html on this board, can't you.
He just embedded a picture, stored on some server.
If it is his server or he has access to it, sure he will be able to read this data.
What's your problem, the whole internet knows your ip and user agent, you can't do jack shit with this information.
If you don't want somebody to know, use tor.

onpon4
Hors ligne
A rejoint: 05/30/2012

It's not a complicated trick. Quite simply, third-party requests, by their very nature, enable some amount of tracking. The only perfect defense against this is the RequestPolicy extension, which blocks all requests unless you have whitelisted them, but the way the Web is built, it's extremely inconvenient. That's probably why IceCat now has a blacklist of known trackers via SpyBlock, rather than requiring the user to whitelist requests.

But really, giving yourself proper anonymity with Tor is the best solution.

I'd like to point out that while IP addresses are not personally identifiable unless they're static, they do give away your general location (though it's a *really* general location; for me, the city guessed by my IP address is always way off). So hiding your IP address with Tor is legitimately useful.

lloydsmart

I am a member!

Hors ligne
A rejoint: 12/22/2012

This isn't really a "trick", and the information isn't private. Your IP address is not private information. You send it to every.single.server. you connect to. It's how you're able to communicate with them.

As for OS and Browser, these are derrived from your UserAgent, which every browser *intentionally* sends out as part of the HTTP protocol.

Your ISP can be determined from your IP address, as there is a database which lists which IPs are assigned to which ISPs. They are called RIRs, and one example is RIPE.

If you're really worried about this information being known (you shouldn't be), there are extra precautions you can take. For example, you can use a VPN to hide your IP. You can use browser extensions to spoof your UserAgent (IceCat and Tor Browser have this built in). This could be desirable if you don't want there to be any chance of your IP showing up in a website's server logs, in case they get raided or something. But that's verging on tinfoil-hat territory in most cases.

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

It is common knowledge that each website you visit gets you ip address, along with your user agent and many other information (language,fonts,plugins,screen size...)
I have a dynamic ip that changes several times each day. I don't need nor want to hide it. I'm not worried about that.
If I connect to a server, I need and want that server to know my ip (otherwise the communication would not be possible)
The "scary" point being - drupal can be misused very simply - it seems to me that there is enormous difference between the server, which I connect to, knowing my ip and some nutter cracker obtaining my ip without my knowledge or consent. And this is the whole point of my post. I hope I am making myself clear..

onpon4
Hors ligne
A rejoint: 05/30/2012

But you're being sent an image by the guy who runs the server the image is hosted on. That's how hotlinks to images work.

Say you visit the site, example.foo. You have to send your IP address to example.foo. It then sends you its data. But suppose the page has a link to an image from othersite.bar. Now, your browser has two choices: it can either not show you the image, or send your IP address to othersite.bar so it can send you the image. There simply is no other possibility. Because external, hotlinked images are so common on the Web, browsers typically choose the latter option.

You're talking about a basic privacy vulnerability in HTML itself as if it were a problem with Drupal. It's got nothing to do with Drupal. The same exact thing can happen with emails, every other forum out there, and any other place where any image can be hotlinked to. This is why email clients typically don't load images unless you tell them to. The Web, however, is very much built on these kinds of hotlinks; just try installing Request Policy, and you'll find it to be a massive headache.

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

Young Boris says in that post that he doesn't run the server on which the image is hosted. I beleive he's lying and just trolling.
Don't know much about drupal or html. I'd like to learn. Maybe I will some day.
Anyway - thank you for the explanation onpon!