Feeds

SafeWeb holes emerge, said fixed

Javascript again....

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Late last week Boston University's David Martin and the Privacy Foundation's Andrew Schulman released a report demonstrating the ease with which the SafeWeb proxy could be defeated with Javascript. SafeWeb no longer offers its free anonymous Web proxy, but it is licenced to PrivaSec, which is offering the service.

It's possible, the researchers found, to learn more about a SafeWeb user's browsing history than that of an ordinary Netizen.

The first problem is the way SafeWeb handles Javascript. Rather than disable it, which leads to irritating problems with Web-site functionality, the service uses a re-write engine which strives to render potentially revealing statements harmless. This is done with two modes, 'recommended' and 'paranoid', between which which the user can choose.

Both modes, the researchers discovered, can be subverted rather easily, and in 'recommended' mode, "a one-line JavaScript statement is enough to cause a SafeWeb user’s Web browser to deliver its real IP address to the attacker."

But wait, there's more. In order to maintain a user's pseudonymous identity, SafeWeb uses a 'master cookie' which, if kept independent of the user's own cookies, ought to provide a layer of pseudonymity.

While a Web site can't deposit its usual cookie on a user's machine during a SafeWeb session, the master cookie does accumulate a history of the user's browsing during the session -- a record of all the cookies he's been fed. This is fine so long as the site can't associate that data with the user, or access the cookie and alter its properties.

Unfortunately, the master cookie can be attacked, and a lot can be done besides reading it. It's possible to alter it, and in so doing downgrade a person's preferred mode from paranoid to recommended, for example, or to enable Java applets against the user's will.

This also has unpleasant implications for SafeWeb's goal of providing anonymity to surfers in neurotic countries like China and Saudi Arabia, where access to information is controlled by a malevolent government, and curiosity can result in a jail sencence.

"By obtaining SafeWeb master cookies or session transcripts with our attacks, the censors have increased leverage: they learn not only who uses SafeWeb, but they also learn which sites the users wanted to secretly visit. Inspecting the cookie values might reveal identification numbers possibly keyed to memberships, subscriptions, commercial transactions, or even authentication codes."

Another serious problem is cross-frame access. The system uses frames, and normally it's impossible for Javascript to gain access to two or more frames from different domains. But because of the way a SafeWeb session attempts anonymity, the two frames originate from the same domain, rendering this irrelevant.

"It is clear that the SafeWeb architecture requires cross-frame access in JavaScript," the researchers say. [emphasis original]

Even in paranoid mode, where Javascript is restricted as much as possible, successful attacks have been documented. The authors say, and rightly so, that this comes from allowing statements not known to be dangerous, rather than denying all not known to be safe.

Thus there are a number of ways besides Javascript by which a Web site can 'reach' a surfer through a SafeWeb session.

For example, "Seemingly-simple HTML statements can induce the browser to launch plug-ins or child processes that bypass the anonymizer. For example, a computer with Adobe Acrobat installed will display PDF files directly within Internet Explorer. But SafeWeb doesn’t sanitize PDF files. So when a user clicks on a URL displayed within a PDF file, Acrobat will directly contact the named host, violating anonymity. Microsoft Office documents can leak information in the same way."

SafeWeb has since developed a patch and made it available to PrivaSec and their other licensees. The patch deals with Javascript, and basically allows it to be turned off while enabling the surfer to enjoy reasonable functionality. But it doesn't address the issue of launching documents such as Acrobat and Word in a browser session. So until we hear more, fetching documents is a definite no-no for the paranoid, and the oppressed. ®

Related Stories

SafeWeb ain't all that
Do-it-yourself Internet anonymity
Internet anonymity for Windows power users
Windows hack for Web-surfing privacy

Secure remote control for conventional and virtual desktops

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.