From: "Alexander K. Yezhov" <admin@leader.ru> To: bugtraq@securityfocus.com Subject: Anonymized ? Not yet. Date: Wed, 13 Jun 2001 21:09:10 +0400 Hello, Anyone knows the Anonymizer service. It's a good tool that lets you stay anonymous surfing the web (http://www.anonymizer.com). Moreover, it blocks the JavaScript code placed on the web pages. The problem is that it just comments scripts instead of cutting them out. On the one hand it's good since you can look at the original JavaScript code if you want. On the other hand this commenting has some disadvantages. The text below applies to the free/trial version of Anonymizer service (commercial version wasn't tested). The problem: Anonymized web pages can use the JavaScript code that will be executed even if commented by Anonymizer (site can silently reload frame and get real visitor's IP for example). The code: The code below won't give you any errors no matter if you're loading the page with Anonymizer or without it (visible part can be hidden using <font color>). <!-- <script>//--->-> <script language=javascript> alert('Hi! Still anonymized?'); //</script> </script> --> Working example: You can try to load the "Privacy tools" pages at Tools-On.Net via anonymizer, click on the "Go" button below "Holmes/Who" and look at the report (compare results with JavaScript enabled and disabled). http://anon.free.anonymizer.com/http://tools-on.net/privacy.shtml http://tools-on.net/privacy.shtml Note: if you get a "re-enter" message on the site it means the session id was lost and you really need to re-enter (this can happen if you're using a cluster of proxy-servers for example). Best regards, Alexander ---------------------------------------------------------------------- MCP+I, MCSE http://Tools-On.Net - Free tools for connected people. http://Leader.Ru - Leader's Smart Guide. ----------------------------------------------------------------------