[SOLVED] Serving false cookie info from the browser?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think you are attempting to stuff one leak, where there are several dozens we simply are less or not aware of.
If a counter scripting would actually be possible against this vulnerability of a information leak in some very specific scenario, that would be nice. But obviously the other side consists of legions of experienced professionals. If you are so unfortunate to meet a determined adversary, he will very delicately modify the use of cookies, or make use of a lot of other vulnerabilities.
Even if he doesn't intentionally new leaks will just happen by modifications of new versions or methods of anything.
I'm not saying that we need to be sheep, like 99 % of internet users.
In my opinion we would do better to abstain from services who use invasive structures. If they won't die from it, because of the other sheep, who cares. Just opt out anyway.
e.g I block out any facebook, don't use whatsapp, don't ever login to google via PC, reduce usage of google search. There are two internet forums where I need to allow some ajax.googleapis.com scripting to login. I alos tried to do a very basic (ridiculous) workaround be saving the cookie after login, and disallow the scripting, and restoring the cookie later to re-"login". But probably they are a lot clever than that and can still integrate this cookie data with the profile of virtually any website I surfed since the 90's. I am maybe not willing to accept this for all future, and rather will maybe stop using these sites. Better crude attempts then no attempts, anyway.
I think it's not worthwile or realistic to engage in counter scripting, even less if one is no professional hacker and intimate insider of this materia.
On my smartphone (which i consider a direct hell interface to google, I seriously need an alternative phone OS) I block cookies altogether, no matter what, what won't work just won't work, period.
Maybe one day I will block all cookies, and simply do without these websites. Maybe one day I will pull the plug to the internet altogether. Before any upcoming IV. Reich seizes the whole infrastructure.
Imagine there's no internet - it's easy if you try. More time for hiking / climbing / skiing. Or surfing, women or whatever.
I totally get what you're saying.
I'm an IT guy, not a dev and there is a world of dif between the two. My current programming skills are 30+ years out of date. I just lost interest in it a long time ago. My scripting skill are basic. And they are currently centered more around solving real world infrastructure type issues like power management, file sharing, cron jobs, etc.
And you are correct that the project I'm envisioning is currently well above my skill level. But I would like to change that.
I just got the new rPi in from amazon this morning and just finished getting it set up on my network. The default OS has a lot of cool tools to learn programming on it. I also picked up a couple of books and bookmarked some stuff.
I'm not asking anybody to tackle the project for me.
Some pointers in the right direction would be appreciated though.
Your gateway IP address will be shown and there is no way to stop that. That's how an address works.
So, yes, if you're using TOR and if the IP address your ISP gives you or the IP address you're using on your LAN is exposed you're not using it properly.
This is not about cookies, by the way.
If you can show a site which makes a browser leak ISP provided and, even LAN IPs when using TOR please tell the TOR people about the flaw in their software.
This seems to come down to how much you want to "leak". You start with listening to broadcasts and, after that, you leak.
This is very true! I do not want to sound like I am lecturing anyone. So if you are already aware of this information, please do not take offense, and disregard all of the following.
Using Tor from home defeats the purpose of Tor. You should be running Tor from an internet connection that is not traced to you. Many people do not understand that Tor is only effective if you spoof every last bit of identifying information. Tor is only meant to be used from identifying IP addresses if it is unavoidable (but still not recommended!). It is also a good idea to pay for this internet access anonymously. So pay with bitcoin, cash, prepaid credit card you brought with cash, or simply use a public wifi.
Additionally, many users of Tor assume that an anonymizing VPN provides anonymity. Not true when you take into account flaws with SSL, dns leaks, operating system finger printing, a connection that begins at an identifiable IP address (like a HOME gateway), log files, and various network protocol flaws (such as those in TCP/IP). So do not connect to Tor over your VPN and do not connect to Tor to access your VPN- it simply doesn't work like people think. All this is outlined in various texts on the Tor project site.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.