Feeds

SafeWeb holes emerge, said fixed

Javascript again....

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

Late last week Boston University's David Martin and the Privacy Foundation's Andrew Schulman released a report demonstrating the ease with which the SafeWeb proxy could be defeated with Javascript. SafeWeb no longer offers its free anonymous Web proxy, but it is licenced to PrivaSec, which is offering the service.

It's possible, the researchers found, to learn more about a SafeWeb user's browsing history than that of an ordinary Netizen.

The first problem is the way SafeWeb handles Javascript. Rather than disable it, which leads to irritating problems with Web-site functionality, the service uses a re-write engine which strives to render potentially revealing statements harmless. This is done with two modes, 'recommended' and 'paranoid', between which which the user can choose.

Both modes, the researchers discovered, can be subverted rather easily, and in 'recommended' mode, "a one-line JavaScript statement is enough to cause a SafeWeb user’s Web browser to deliver its real IP address to the attacker."

But wait, there's more. In order to maintain a user's pseudonymous identity, SafeWeb uses a 'master cookie' which, if kept independent of the user's own cookies, ought to provide a layer of pseudonymity.

While a Web site can't deposit its usual cookie on a user's machine during a SafeWeb session, the master cookie does accumulate a history of the user's browsing during the session -- a record of all the cookies he's been fed. This is fine so long as the site can't associate that data with the user, or access the cookie and alter its properties.

Unfortunately, the master cookie can be attacked, and a lot can be done besides reading it. It's possible to alter it, and in so doing downgrade a person's preferred mode from paranoid to recommended, for example, or to enable Java applets against the user's will.

This also has unpleasant implications for SafeWeb's goal of providing anonymity to surfers in neurotic countries like China and Saudi Arabia, where access to information is controlled by a malevolent government, and curiosity can result in a jail sencence.

"By obtaining SafeWeb master cookies or session transcripts with our attacks, the censors have increased leverage: they learn not only who uses SafeWeb, but they also learn which sites the users wanted to secretly visit. Inspecting the cookie values might reveal identification numbers possibly keyed to memberships, subscriptions, commercial transactions, or even authentication codes."

Another serious problem is cross-frame access. The system uses frames, and normally it's impossible for Javascript to gain access to two or more frames from different domains. But because of the way a SafeWeb session attempts anonymity, the two frames originate from the same domain, rendering this irrelevant.

"It is clear that the SafeWeb architecture requires cross-frame access in JavaScript," the researchers say. [emphasis original]

Even in paranoid mode, where Javascript is restricted as much as possible, successful attacks have been documented. The authors say, and rightly so, that this comes from allowing statements not known to be dangerous, rather than denying all not known to be safe.

Thus there are a number of ways besides Javascript by which a Web site can 'reach' a surfer through a SafeWeb session.

For example, "Seemingly-simple HTML statements can induce the browser to launch plug-ins or child processes that bypass the anonymizer. For example, a computer with Adobe Acrobat installed will display PDF files directly within Internet Explorer. But SafeWeb doesn’t sanitize PDF files. So when a user clicks on a URL displayed within a PDF file, Acrobat will directly contact the named host, violating anonymity. Microsoft Office documents can leak information in the same way."

SafeWeb has since developed a patch and made it available to PrivaSec and their other licensees. The patch deals with Javascript, and basically allows it to be turned off while enabling the surfer to enjoy reasonable functionality. But it doesn't address the issue of launching documents such as Acrobat and Word in a browser session. So until we hear more, fetching documents is a definite no-no for the paranoid, and the oppressed. ®

Related Stories

SafeWeb ain't all that
Do-it-yourself Internet anonymity
Internet anonymity for Windows power users
Windows hack for Web-surfing privacy

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.