pseudo-flaw.net

Given all of the recent discussion on the or-talk mailing list about reducing Java leakage in Windows, I thought I'd put together an online Java leakage test page to see what is actually occurring.

Apparently, the latest Sun Java Runtime Environment (JRE 1.6u3) does not use any of the SOCKS proxy values configured through the network settings. Which does not matter really, because there are methods to ignore the proxy settings.

The HTTP URL connection reports the user-agent using its own custom value. The custom JRE user-agent includes the full operating system identifier. For example, instead of the fake user-agent in the latest Torbutton, you see:

• Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03
• Mozilla/4.0 (Linux 2.6.20-16-generic) Java/1.6.0_03

Another item of interest is that Java 6 introduced new methods to the NetworkInterface class that allow the hardware addresses of all network interfaces to be read. Depending on what type of environment you are in, this could be information that may benefit an adversary.