Previous 1 2 3 4 Next 59 Replies Latest reply: Jul 8, 2011 6:20 AM by etresoft Go to original post
  • Barney-15E Level 8 Level 8 (42,175 points)

    You'd be better off disabling Javascript.

  • Barney-15E Level 8 Level 8 (42,175 points)

    The "more info about you" page gets the internal IP using Java.

  • WZZZ Level 6 Level 6 (12,700 points)

    Barney-15E wrote:

     

    The "more info about you" page gets the internal IP using Java.

    Even if I have Java disabled in the browser? What's the "more info about page?"

     

    If I go to

     

    http://www.whatsmyip.org/

     

    it won't display my internal IP until I "allow" the site with JS (using NoScript.) Is that JS calling Java? Not possible, since I have Java disabled. Must be through JS alone.

  • ds store Level 7 Level 7 (30,310 points)

    WZZZ wrote:

     

    If I go to

     

    http://www.whatsmyip.org/

     

    it won't display my internal IP until I "allow" the site with JS (using NoScript.) Is that JS calling Java? Not possible, since I have Java disabled. Must be through JS alone.

     

    Web sites know your regular ISP given IP as your connecting to them. What your not seeing is the display of this IP because you have scripts turned off with NS. (the site used ot work before without scripts)

     

     

     

    The link here

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

    when you click it uses Javascript to use Java to get your internal IP, the one that connects your Mac to your router which is possibly a security concern as in Safari it doesn't work but on FF (without NS enabled) does work.

     

    *crawls under the bed*

  • ds store Level 7 Level 7 (30,310 points)

    Barney-15E wrote:

     

    You'd be better off disabling Javascript.

     

    Oh, that's been done ages ago with FF + NoScript. All scripts are turned off by defualt and enabled on a per site, per need basis until I've estabilished trust with the stie.

     

    The "more info about you" page gets the internal IP using Java.

     

    You mean under the Apple menu?

     

     

    *starts shivering in fear*

  • WZZZ Level 6 Level 6 (12,700 points)

    But, again, I have the Java plug-in disabled. How can JS call Java if it's disabled?

  • Barney-15E Level 8 Level 8 (42,175 points)

    The first link in the left bar of the Whatsmyip site, under networking tools.

  • ds store Level 7 Level 7 (30,310 points)

    WZZZ wrote:

     

    But, again, I have the Java plug-in disabled. How can JS call Java if it's disabled?

     

    Right you are, seems I was running with the FF Java enabled, now it's off and even

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

    Doesn't work now even if I hit the NS button. How could I let my computer go around giving up my internal IP like that, even to sites I've trusted?

     

    *whips oneself repeatedly*

  • WZZZ Level 6 Level 6 (12,700 points)

    ds store wrote:

     

    WZZZ wrote:

     

    But, again, I have the Java plug-in disabled. How can JS call Java if it's disabled?

     

    Right you are, seems I was running with the FF Java enabled, now it's off and even

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

    Doesn't work now even if I hit the NS button. How could I let my computer go around giving up my internal IP like that, even to sites I've trusted?

     

    *whips oneself repeatedly*

    But it does work from whatsmyip, with Java disabled, but JS enabled. I've said this maybe three times now.

  • ds store Level 7 Level 7 (30,310 points)

    Barney-15E wrote:

     

    The first link in the left bar of the Whatsmyip site, under networking tools.

     

    *screams in terror*

     

    "They found me, ahhh!"

     

    Ha, but they don't have my Internal IP!, it was that other guy who was sitting in my driveway last night, he did it.

  • ds store Level 7 Level 7 (30,310 points)

    WZZZ wrote:

     

    But it does work from whatsmyip, with Java disabled, but JS enabled. I've said this maybe three times now.

     

    No. it doesn't, well not here anyway. Your scaring me, I'm p.a.r.a.n.o.i.d you know.

     

    1: Java plugin disabled via FF add-ons

     

    2: NoScript enabled

     

    Equals....no internal IP reveled!

     

    I'm safe, plausible deniability is restored!

  • Bob Lang1 Level 5 Level 5 (4,080 points)

    ds store wrote:

    I was hoping to ask the "15 years with Java" guy all about it.

    And I'd tell you to read up about Java security managers.  You might also like to check with the API description for getLocalHost which states:

     

    If there is a security manager, its checkConnect method is called with the local host name and -1 as its arguments to see if the operation is allowed. If the operation is not allowed, an InetAddress representing the loopback address is returned.

     

    If anyone thinks they've discovered a security hole in [Mac] Java then it should be reported to

    http://bugreporter.apple.com or http://download.oracle.com/javase/6/docs/api/

     

    Bob

  • ds store Level 7 Level 7 (30,310 points)

    Welcome back Bob

     

    Question for you.

     

    We recently discovered that Javascript can be used to call a Java instruction.

     

    This Java instruction reveals the internal IP of particular machine on the LAN by a website.

     

    How come this works on browsers like Firefox, yet not on Safari?

     

     

    I've heard reports/grumbling etc that revealing the internal IP is a security concern, and if so how come Apple doesn't allow Java to return a internal IP on Safari and other browsers do?

     

    For instance this site reveals the internal IP on Firefox (all scripts running) and not on Safari (all scripts running)

     

    http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml

     

     

    Could you answer me/us this question? Is it because there is a different form on Java on Mac's that is not compatible with the site above, or is it Apple who decided to add a bit more security to the Java pie?

     

    And if/when Apple doesn't maintain Java anymore and it becomes standalone like Flash, will the problem with this issue return to Mac users?

     

    Thanks Bob

  • Bob Lang1 Level 5 Level 5 (4,080 points)

    I've tried this on Safari, Firefox and Chrome, and nothing happens on any of them when I press the button.  I've double checked that Java, Javascript, etc are all enabled.

     

    I'm running the latest bog standard Java on 10.6.8 - how about the rest of you? 

     

    Bob

  • Bob Lang1 Level 5 Level 5 (4,080 points)

    Ah! Got it working now: because I don't routinely use Firefox I hadn't updated for years.  A new update of Firefox and I now get localhost/127.0.0.1 returned.

     

    I'm intrigued that this might be a security risk but I'm not sure how. 

     

    Bob