>Eepsites can track you >X-I2p-Destb32 header >same across browser resets and across different browsers >All your browsing and accounts can be linked Demonstration. These 3 independent eepsites will display the X-I2p-Destb32 (+ X-I2p-Destb64 + X-I2p-Desthash) headers they see: http://whatsmyb32.i2p/cgi-bin/whatsmyb32.cgi http://63sgpiu6f33arldcxkbjsn3jgf6asyx3onjmz6j6gsk7hgbiehkq.b32.i2p/ http://digitalsr.i2p/cgi-bin/get_env.cgi Whatever you do with the web browser, the 3 sites always identify you by b32.i2p. X-I2p-Destb32 can be linked to an IP address because it always shuts down at the same time as the node. What do I mean by that? >X-I2p-Destb32 is sent to an eepsite >eepsite keeps querying leasesets for client b32 from floodfills forever >like domain name resolution >as long as it gets a reply, it means the client HTTP proxy is up >as soon as it observes the NXDOMAIN I2P equivalent (no leasesets), it means the HTTP proxy was just shut down >correlate this time and the b32's lifetime with node shutdown and start times >it's possible to one shot an IP address like this, if the user accessed the eepsite for days, weeks, months >if the user is habitually accessing an eepsite, the IP will become more certain over multiple node restarts >if the IP changes, there's always node ID which is more persistent than an IP and has to be cleared manually on the filesystem >there are other fingerprints like ISP, IPv4/IPv6, MTU, node size (O/P/X etc), node software Correct me if I'm wrong, but it looks like eepsites see your IP address by default if they want to. It's a clown show. There is an abandoned fix, this was never integrated into any node: https://github.com/eyedeekay/eeProxy Whonix Wiki: http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/I2p >I2P does not have stream isolation support which means that visits to Eepsites are linkable and fingerprintable -- each request includes the same X-I2P-Dest* headers, which are unique to each user. This might be true for outproxy requests as well. >If you access site1.i2p followed by site2.i2p, site3.i2p and so on, each one of those operators will see the exact same X-I2P-Dest* values. This means if they are colluding, they will know that the same person accessed all of them. >I2P operators can build a more detailed profile the longer I2P is left running. The X-I2P-Dest* values only change upon restart of the I2P instance or when the HTTP Proxy tunnel is stopped/started. I2P does not have a fix for this at present, [13] however an experimental plugin is being written to provide a stream-isolating mechanism for http-over-I2P, see: eeProxy http://discuss.i2p/viewtopic.php?t=258 >Mon May 26, 2025 8:46 am > >been seeing this a lot for some reason so i'm spelling it out that in both i2pd and java you can keep making new destinations without restarting the router. you can also have as many http/socks/irc proxies as you want running from different destinations. don't restart if you don't need to > >java >go to /tunnelmanager and edit http proxy tunnel >Check > Reduce tunnel quantity when idle (3min, 2 tunnels for example) >Check > Close client tunnels after specified period (5,10,20, whatever) >Check > New keys on reopen There is also a button somewhere to manually stop and start the HTTP proxy service. > >now you get fresh tunnels with new destination each time you browse, and won't waste empty tunnels. there is a slight delay when opening new tunnels this way but most of the time it's pretty seamless > >Otherwise as long as "new keys on reopen" is checked whenever you stop and start the tunnel from the /tunnelmanager page you get a new destination. > >i2pd >on /?page=commands click "Reload tunnels configuration" There's a catch, i2pd doesn't close old HTTP client destinations, but the new destination will be the one sent to servers. All the old b32.i2p will listen and refresh tunnels forever, and when the node is shut down, these and the node ID and the IP address are neatly tied together by a timing side channel. It's like glowies are writing this software. From http://simp.i2p/blog/0017-23-04-2025-I2pd%20is%20amazing >For example if you reload tunnels configuration in i2pd i've noticed that the old tunnels linger after not being used anymore. If you keep hitting that button you'll have 20 new http tunnels, do they go away eventually? not clear. logically they should but they don't always seem to even if no connections. >http://notbob.i2p/cgi-bin/blog.cgi?page=927 >Nov 4, 2025 >Today's site is whatsmyb32.i2p. >What is your b32? Find out! > >Every site you visit sees this address. This can be used to correlate which sites you go to and when. Though, restarting I2P (Java or i2pd) will change this to a new random address. > >In fact, the only way for anyone to use this data to correlate your browsing, needs to control the sites you are visiting. So, generally speaking this is a rather minor issue. Even more so if you change it from time to time. > >In Java I2P it's easy to do. You just set your http proxy to go idle after a period of inactivity. Then, after that happens when the tunnel restarts you will have a new address. Note that there will be a delay while the tunnels are built before you can browse again. This option is not default for exactly this reason. > >With i2pd? Not so easy. He goes on to show a Perl script that clicks i2pd's "Reload tunnels configuration". http://simp.i2p/blog/0020-22-06-2025-Stream%20Isolation%20and%20Site%20Collusion >As i've stated in other places the b32 destination for your http proxy, or any client for that matter, are or can be temporary. You can make as many of these as you want, i like to use new ones each time i browse i2p. I do this by allowing the tunnels to reduce on idle and close after so many minutes, and generate new key on open, all easily setup in java tunnel config. >I keep seeing this thought that these keys can only be changed through router restart and this isn't right. in i2pd you reload tunnels, though this may have its own memory issues (http://simp.i2p/blog/0017-23-04-2025-I2pd%20is%20amazing). though to be fair, even though this particular one may be minor, these sorts of memory leaks are only fixed with router restart, which is harmful to your anonymity and should be avoided if not necessary. >In java ensure "New keys on reopen" is selected in the tunnel config, then you can just stop and start the tunnel. Or do as suggested above so you always get new keys when you browse. I won't spam the rest, it's all cope. Cope with the fact tracking is easy across eepsites, most users don't even know it, there is no session isolation, node interfaces don't have big START/STOP/RESET BROWSER SESSION buttons on the front page like they should. I2P is a joke. They set users up for leaks without a pre-configured browser, with vague configuration guides. They set users up to be tracked across eepsites and deanonymized with the persistent X-I2p-Destb32 issue which users won't find out about unless they study I2P internals which they never do, or do much later. =========== http://l7jqnz3yfe2wtwietafoieadmgqbu7dcmzmey63ktbjtxal3he4a.b32.i2p/tech/203686 ============================== While you're watching anime or whatever, these assholes are taking control of I2P. Just like your real life government. http://major.i2p/irc2p/i2p-dev/2025/11/01 zzz >eyedeekay and Lance James join the StormyCloud board of directors >StormyCloud is now the official tax-deductible recipient for I2P donations http://major.i2p/irc2p/i2p-dev/2025/11/02 dr|z3d >zzz: can you say some more about lance's newfound role? is he likely to be contributing to the codebase? orignal >and why is he back? StormyCloud >lance will be contributing to the codebase, at what frequency or level is unknown at this time zzz >we're going to migrate everything on ech-controlled hosting over to SC infrastructure, to save money and be more actively managed >the website I think is furthest along, in parallel SC has it migrated over to python 3, not sure who did that ech = team member "echelon" dr|z3d (about StormyCloud) >I saw his PRs, in fact I brought them to your attention if you recall :) they looked very much AI assisted. >not false positives from a scripted vuln tracker, but not far off :) zzz (about StormyCloud) >he's also got 4 other directors that I don't know at all, plus other contacts and resources, thats the whole point, to bring in more help http://10channel.i2p/res/2659.html http://tenchan4v5bnlu3gatyjyctlsb25asvncbz4pr7gmomhsrvyx5zfpcad.onion/res/2659.html http://i2p-projekt.i2p/en/blog/post/2025/11/01/stormycloud-joins-i2p >On 1st November StormyCloud partnered with the java i2p development team to accept donations and host infrastructure such as the official i2p website. http://stormycloud.i2p/board-information/ >The founder of i2p Lance James joined StormyCloud as a board member. https://www.youtube.com/watch?v=iln0gxHG8OI (If you're in any doubt that this is him - observe the tattoo) i2p torrent mirror: magnet:?xt=urn:btih:d7eba8b9483ca32b944012cc1a86a63897c65f91&dn=+Cybersecurity%2C+Gen+AI%2C+%26+Building+Confidence+in+Yourself+w%2F+Lance+James+-+Hyperdrive+Minds+Podcast+7+&tr=http://tracker2.postman.i2p/announce.php at 16:45 he says that he offered some code/prototype for surveillance to 3 letter agencies and got a contract for it, story begins at 15:45 at 23:50 he says that he helped spy agencies like mi6 to hunt other spies at 26:35 You're on the gray side....i was in the gray and that's an area intelligence needs...to have things unofficial, so i was always playing unofficial things... at 28:45 2013 met Allison Nixon, ask her if she wanted to hunt down bad guys for real: "you want to do it with real impact real handcuffs real cruise missiles if you're down 29:40 ... I have the world that you need to be in in...30:16" "the fbi called his group/company Unit 221B (22:40-) inofficially cyber seal team 6 at 31:24" Lance James seems like a grifter tech bro entrepreneur who scammed his way to the top and will sell his mother for a dime. What he stands for is the opposite of freedom. Corpo whore, upsells himself, all PR, no substance. Dangerous to have nocoder retards without principles near infrastructure because he'll sell out at the slightest push if he hasn't already. A user asked StormyCloud in irc about the dangers of having someone whose goals and values contradicted i2p's on the board. They also expressed concern for a situation where funding might be withheld if a backdoor or telemetry were refused. This was StormyCloud's response: >No funds are being withheld for any reason. Lance was added not only to help with the codebase but also to help project mana…but that is not sustainable. People and things cost money unfortunately. Additionally, keep track of all money so we can't "divert" or take any money. https://www.rsaconference.com/experts/lance_james >He provides advisory services to a wide range of government agencies and Fortune 500 organizations including America’s top financial services institutions StormyCloud has been running a family of nodes and one of the few outproxies. cake.i2p file host went down and miraculously StormyCloud immediately shilled their dump.i2p host on ramble.i2p. Explicitly claim they don't log b32 lol.