Web related leakage
Your web browser leaks a frighteningly large amount of information about you. For example, even after you protect yourself by concealing your IP address through Tor, it is still possible for someone to use a Java program to obtain your actual source IP and hostname. And this is only the beginning. An excellent test utility to test all the different types of information that can be obtained from your browser is available at BrowserSpy. Most of these can be handled by the excellent Firefox extension NoScript. You are encouraged to test out your browser there in addition to looking over the following material.
Cookies
Cookies can be used to track your web usage across even a Tor
session, where each connection originates from a different IP. This can
be both a blessing and a curse. A blessing because if you are actually
logged in, you usually won't have to keep doing so. But a curse in that
if someone then obtains your computer, they can use the cookie values to
prove you were at a given website at a given time. They are also
extremely dangerous if you have a tendency to turn off Tor or your proxy
config from time to time, and then wander back to a site that has a
unique ID for you.
In particular, sites with ad banners can catch you off guard,
since often they can have a small ad banner with a piece of javascript
you don't notice. If they set a cookie in this banner, they can easily
correlate your Tor traffic with your non-Tor traffic. For sites like
these, the best thing you can do allow cookies from the originating
website only in your web browser preferences window.
There also are a few Firefox extensions you can use to mitigate
an arbitrary site's ability to track you via cookies. The first, Cookie Culler
provides a toolbar button that allows you to purge all but selected
"protected" cookies, and also provides you with the option of blocking
cookies you have deleted before. Add N' Edit Cookies will allow you to search for cookies by site, modify, remove, and add them. Also useful is CookieButton,
which is a handy toolbar option that allows you do access control and
clear cookies for a given site right off of the toolbar. You can
permanently disable cookies for entire domains, such as doubleclick.net
or google.com.
Browser User Agent And Capability Info
Sometimes a very unique User Agent string (Ex: "Mozilla/5.0 (X11; U;
Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 RealMedia
1.1.3") can be a giveaway. How many people will have that Gecko build
date combined with that version RealMedia? On Linux? The solution is the
User Agent Switcher, which will allow you to set your user agent to whatever you wish (be sure to pick something common to avoid fragmenting your anonymity set). Be sure to check the "Reset User Agent When Browser Closes" option, or bad things will happen.
Even still, you may find yourself stuck with a browser that doesn't
want to start. In which case, you might have to edit prefs.js by hand,
and remove all the lines that contain "agent".. It's been a while since
this has happened for me, so perhaps they've finally gotten all the edge
cases where it can exit with the wrong agent set.
As mentioned above, another possibility is a malicious site can use Javascript
to detect all sorts of information about your browser. This can also be
used to track you. The best defense against this is to use NoScript.
Referrer Url
Likewise, your referrer can be used to track your session path from
page to page as well. In order to prevent Firefox from transmitting
referrer information, go to [about:config about:config] and set network.http.sendRefererHeader to the value 0.
Tab Mix Plus
can also be used to block referrer forwarding for the lifetime of any
given tab. Simply right click on the tab, and go down to Permissions.
The option to block referrer is there, along with several other options
we will use later.
Sometimes, however, it is useful to outright lie about where you
came from. For example, if you frequently visit your own blog/website by
typing in the URL, those visits are distinguishable by the lack of
referrer URL. In those instances, you may wish to use refspoof instead. Refspoof adds the ability to specify your referrer in a URL. For example, spoof://nytimes.com;ref://google.com connects you to the New York Times, making them think you came from google.
Browser History
This should be obvious. Delete your browser history, cache, cookies
and other personal information after doing sensitive things. A
frightening javascript hack]
can actually reveal if you have been to select sites, which can be used
to fingerprint you. The best way to deal with this is to run NoScript.
Web bugs
A common technique (used by
the FBI and others) to discover someone's identity is to send them an
email with an image or some other document attribute that their email
client or browser will attempt to load. Usually, this image will be
located on a server that the sender controls, which means they will then
have your IP address once your browser makes the connection. Of course,
for normal images, these will obey your proxy settings. However, note
that even using Tor is sometimes insufficient. Make sure your proxy settings have an entry for FTP, especially.
You need to be particularly careful about Java plugins. Have a look at this clever java applet that turned up at this odd website.
This is an improvement on previous Java bugs in that it is able to
select one of several potential ways to make an external internet
connection and bypass your proxy settings based on capability
information provided by the JVM. Even if the JVM has been secured (most,
including Sun's, are not), it can still query the local interface of
your machine and get the IP address without even making an internet
connection. It then submits results back to the server that served the
applet. In the case where the JVM is not secure, the JVM will IGNORE
YOUR PROXY SETTINGS AND MAKE A DIRECT CONNECTION TO THE ORIGINAL
WEBSITE.
You basically have two options when dealing with web bugs of this nature. One is to install the NoScript Firefox Extension,
which allows you to whitelist Java, Javascript, and Flash objects on an
as-needed basis. This is the recommended option, as it covers all your
bases all the time unless you say so. The one downfall is that if you
enable permissions on a site, you enable it for everything. This means
that if you enable Javascript for your email provider (most don't work
too well without it), and they do not scrub HTML properly, someone could
still feed you this Java applet. According to the NoScript Website,
the ability to split permissions for Java from Javascript is being
developed for an upcoming release. Your best bet until then is to
globally disable Java from your Firefox preferences.
The other option is to use Tab Mix Plus
tab permissions to disable plugins on the current tab (right click on
the tab). You get finer granularity here, but your choice only persists
in the current tab. This is annoying and easy to forget.
Also be aware that some media objects can reveal your IP address,
depending on how the plugin was written. On Windows, I have tested
Windows Media Player, Realplayer, Quicktime, and Flashplayer. Of those, I
have discovered that only Realplayer did not honor proxy settings,
since it launched an entirely new application. I have tested
mplayer-plugin and Flash on Linux, and unfortunately the mplayer plugin
does not obey browser proxy settings (but does obey the http_proxy
environment variable). In general, the best way to determine if a
plugin/media type is obeying your proxy settings is to use
[www.wireshark.org/about.html Wireshark] to watch network traffic. The
display filter 'tcp.port == 80 or tcp.port == 443 can make
it easier to find traffic that is bypassing Tor, though note that some
media apps will use other ports and possibly even UDP.
Desktop and Web Browser Extensions
The major threat with web browser extensions and desktop plugins is
that they will transmit a unique user id over the same Tor circuit that
you happen to be using to anonymously access a website. Weather
monitoring extensions are particularly dangerous because they can
transmit zip codes or even address information to retrieve local weather
conditions. Likewise for link collection services such as delicious,
stumbleupon, and flickr.
It is also possible to install a malicious Firefox extension to
track your whereabouts on the web. The most surefire way to watch for
this is to manually view the Extensions.rdf file in your extensions
directory under your Firefox profile. Each cryptically named
subdirectory of the extensions directory should have an entry in the RDF
file. Make sure that the plugin name is something you remember
installing.