From: Samuel Tardieu <sam@inf.enst.fr>
To: me@muddcs.cs.hmc.edu (Michael Elkins)
Message Hash: 31583400fb0baf8fbe93fed31ee222e815114a83a1e2759ef7fd2c67fafc8d8a
Message ID: <qw6wx3mhnja.fsf@gargantua.enst.fr>
Reply To: <199604110647.XAA05823@muddcs.cs.hmc.edu>
UTC Datetime: 1996-04-11 20:08:00 UTC
Raw Date: Fri, 12 Apr 1996 04:08:00 +0800
From: Samuel Tardieu <sam@inf.enst.fr>
Date: Fri, 12 Apr 1996 04:08:00 +0800
To: me@muddcs.cs.hmc.edu (Michael Elkins)
Subject: Re: Scientologists may subpoena anonymous remailer records
In-Reply-To: <199604110647.XAA05823@muddcs.cs.hmc.edu>
Message-ID: <qw6wx3mhnja.fsf@gargantua.enst.fr>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Michael" == Michael Elkins <me@muddcs.cs.hmc.edu> writes:
Michael> I've heard several people make this statement... Can anyone
Michael> confirm that it is really possible to log the uid (username)
Michael> of the person making the http request? I know they can get
Michael> your ip address, but I'm skeptical of getting the username.
There is no general rule, it depends on your system, your system
administrator, your browser, .... If you use Unix, there is no way to
know who is at the other end of a socket without using either:
1) finger- or rusers-like information, which is only a guess than
may easily be defeated;
2) a "identity daemon", which is run on port 113 and may be queried
by a host to which a connection is being made.
This kind of identity daemon sometimes has an option which makes it
look for a file in the user's home directory before answering ; if
this file is present, then the user-id won't be disclosed. It is also
very time-consuming for a WWW server to make such a TCP connection
each time a request is made, it slows down the request a lot.
Anyway, the use of a proxy may help you in that the user-id will
probably "nobody". You stay anonymous, unless your proxy's manager
keeps the logs.
The other way to get your identity is... getting cooperation from
yourself ! There was a bug in Netscape 2.0 which made it possible to
make you send a mail without even realizing it when browsing some
pages (using a form with a mailto: action and a piece of JavaScript to
submit the form). Other browsers may well send your user-id and/or you
real name across the network in a browser-defined header. This must be
checked on a browser per browser basis, since each browser is free to
add any header it wants.
Sam
- --
"La cervelle des petits enfants, ca doit avoir comme un petit gout de noisette"
Charles Baudelaire
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAgUBMW0Pk4FdzKExeYBpAQGyWAP+LwubZ9+aqzaP7Lq44Lhlztshp0YPslVF
yioq8BGlxotMlLEQHdOyVHfjUGnV7U9eUdeT5jWplKmhpEVgYiYlOtHKX8JOLDno
X7dhCQG14Q8bQctlS7UQ5EV10sM5CaNN4G+Cx05iSZ8VY+aFScdRlS77EMovMKD4
Y1YC8P41RdY=
=l4BE
-----END PGP SIGNATURE-----
Return to April 1996
Return to “Samuel Tardieu <sam@inf.enst.fr>”