Feeds

SafeWeb holes emerge, said fixed

Javascript again....

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Late last week Boston University's David Martin and the Privacy Foundation's Andrew Schulman released a report demonstrating the ease with which the SafeWeb proxy could be defeated with Javascript. SafeWeb no longer offers its free anonymous Web proxy, but it is licenced to PrivaSec, which is offering the service.

It's possible, the researchers found, to learn more about a SafeWeb user's browsing history than that of an ordinary Netizen.

The first problem is the way SafeWeb handles Javascript. Rather than disable it, which leads to irritating problems with Web-site functionality, the service uses a re-write engine which strives to render potentially revealing statements harmless. This is done with two modes, 'recommended' and 'paranoid', between which which the user can choose.

Both modes, the researchers discovered, can be subverted rather easily, and in 'recommended' mode, "a one-line JavaScript statement is enough to cause a SafeWeb user’s Web browser to deliver its real IP address to the attacker."

But wait, there's more. In order to maintain a user's pseudonymous identity, SafeWeb uses a 'master cookie' which, if kept independent of the user's own cookies, ought to provide a layer of pseudonymity.

While a Web site can't deposit its usual cookie on a user's machine during a SafeWeb session, the master cookie does accumulate a history of the user's browsing during the session -- a record of all the cookies he's been fed. This is fine so long as the site can't associate that data with the user, or access the cookie and alter its properties.

Unfortunately, the master cookie can be attacked, and a lot can be done besides reading it. It's possible to alter it, and in so doing downgrade a person's preferred mode from paranoid to recommended, for example, or to enable Java applets against the user's will.

This also has unpleasant implications for SafeWeb's goal of providing anonymity to surfers in neurotic countries like China and Saudi Arabia, where access to information is controlled by a malevolent government, and curiosity can result in a jail sencence.

"By obtaining SafeWeb master cookies or session transcripts with our attacks, the censors have increased leverage: they learn not only who uses SafeWeb, but they also learn which sites the users wanted to secretly visit. Inspecting the cookie values might reveal identification numbers possibly keyed to memberships, subscriptions, commercial transactions, or even authentication codes."

Another serious problem is cross-frame access. The system uses frames, and normally it's impossible for Javascript to gain access to two or more frames from different domains. But because of the way a SafeWeb session attempts anonymity, the two frames originate from the same domain, rendering this irrelevant.

"It is clear that the SafeWeb architecture requires cross-frame access in JavaScript," the researchers say. [emphasis original]

Even in paranoid mode, where Javascript is restricted as much as possible, successful attacks have been documented. The authors say, and rightly so, that this comes from allowing statements not known to be dangerous, rather than denying all not known to be safe.

Thus there are a number of ways besides Javascript by which a Web site can 'reach' a surfer through a SafeWeb session.

For example, "Seemingly-simple HTML statements can induce the browser to launch plug-ins or child processes that bypass the anonymizer. For example, a computer with Adobe Acrobat installed will display PDF files directly within Internet Explorer. But SafeWeb doesn’t sanitize PDF files. So when a user clicks on a URL displayed within a PDF file, Acrobat will directly contact the named host, violating anonymity. Microsoft Office documents can leak information in the same way."

SafeWeb has since developed a patch and made it available to PrivaSec and their other licensees. The patch deals with Javascript, and basically allows it to be turned off while enabling the surfer to enjoy reasonable functionality. But it doesn't address the issue of launching documents such as Acrobat and Word in a browser session. So until we hear more, fetching documents is a definite no-no for the paranoid, and the oppressed. ®

Related Stories

SafeWeb ain't all that
Do-it-yourself Internet anonymity
Internet anonymity for Windows power users
Windows hack for Web-surfing privacy

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.