On 4/21/06, Eugen Leitl <eugen@leitl.org> wrote:
... As a side-result, in exploring the use of proxy servers as an evasionary tactic, to our surprise we found that we were able to extract an end-client IP address even for a browser protected by Tor/Privoxy (designed to anonymize browsing), provided Java is enabled.
i believe you can do this with flash as well, and javascript should probably be disabled for good measure along with any other active scripting. browsers are a horrible interface from a security and privacy perspective. i've actually toyed with using lynx/links as requesting agent saving to text with a caching proxy to constrain the various info leakage holes that might be exploited in a browser used for anonymous surfing. (got distracted by other tasks before getting it into a usable state) i'd be curious to know how various people / projects are attacking this kind of leakage.