--- James Muir <[EMAIL PROTECTED]> wrote: > Java is not safe to use with Tor, or any other > proxy-based anonymity > system. It is possible for applets to override any > proxy settings you > might have set (i.e. an applet running in your > browser can disregard > your proxy settings and make a direct connection to > the internet). For > an example of this, you can have a look my paper > "Internet Geolocation > and Evasion". > > I have heard that it is possible to run your browser > and JavaVM (and > Flash and JavaScript, if you want) inside a larger > virtual machine. > This is what JanusVM does. If you really want to > use Java with Tor, > then you could try that. > > -James >
Well, I wasn't talking about running random Java applets in a web browser (I don't even have the browser plugin installed for Java, so no problems there), or setting any system-wide proxy settings, or anything like that. I'm already aware of those problems. I'm talking about a Java program that I control and can tell it to use a proxy, just like any other app that supports proxy connections. The problem is simply that the Java implementation (in this case, Sun Java 1.5, I have not tried this with other implementations) will always default to direct connections whenever the proxy is not available, which isn't a desirable behavior at all. It would be as if you configured your browser or e-mail client to use a proxy, and it going out of its way to make direct connections anyway if your proxy happened to be down. I think anyone here would call that a problem (but people outside the Tor community do not, hardly anyone even recognizes there might be a problem with that sort of thing, it is just a great feature that lets you pretend everything is working when it isn't). There seems to be no way to override that broken behavior. I'd rather not have to use yet another VM to overcome it (I don't want to VNC all the traffic from this system to the proxy, anyway). If Java won't work sensibly, then it's probably a better idea to just use something else. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
