Catch this article over at ha.ckers.org regarding an easy way to bypass most anonymizing proxies (such as Tor) and figure out the true origin IP of a web surfer. Plugins such as Java or Flash can be written to make a socket call back to the server. Since the plugin isn’t making a normal HTTP request, it ignores the proxy settings of your browser and connects directly to the server.

This code (it takes a several seconds to load) uses a piece of JavaScript to instantiate a Java socket call back to the origin site. In doing so it bypasses the proxy settings of the browser, allowing you to de-anonymize people using proxies. It works great for Tor or just about any HTTP proxy that I can think of. Cool stuff.

Ouch.

A safer anonymizing solution might be to route all traffic through a transparent proxy, while also blocking all traffic not destined for port 80.

De-anonymizing Tor and Detecting Proxies – Link