Feeds

SafeWeb holes emerge, said fixed

Javascript again....

  • alert
  • submit to reddit

3 Big data security analytics techniques

Late last week Boston University's David Martin and the Privacy Foundation's Andrew Schulman released a report demonstrating the ease with which the SafeWeb proxy could be defeated with Javascript. SafeWeb no longer offers its free anonymous Web proxy, but it is licenced to PrivaSec, which is offering the service.

It's possible, the researchers found, to learn more about a SafeWeb user's browsing history than that of an ordinary Netizen.

The first problem is the way SafeWeb handles Javascript. Rather than disable it, which leads to irritating problems with Web-site functionality, the service uses a re-write engine which strives to render potentially revealing statements harmless. This is done with two modes, 'recommended' and 'paranoid', between which which the user can choose.

Both modes, the researchers discovered, can be subverted rather easily, and in 'recommended' mode, "a one-line JavaScript statement is enough to cause a SafeWeb user’s Web browser to deliver its real IP address to the attacker."

But wait, there's more. In order to maintain a user's pseudonymous identity, SafeWeb uses a 'master cookie' which, if kept independent of the user's own cookies, ought to provide a layer of pseudonymity.

While a Web site can't deposit its usual cookie on a user's machine during a SafeWeb session, the master cookie does accumulate a history of the user's browsing during the session -- a record of all the cookies he's been fed. This is fine so long as the site can't associate that data with the user, or access the cookie and alter its properties.

Unfortunately, the master cookie can be attacked, and a lot can be done besides reading it. It's possible to alter it, and in so doing downgrade a person's preferred mode from paranoid to recommended, for example, or to enable Java applets against the user's will.

This also has unpleasant implications for SafeWeb's goal of providing anonymity to surfers in neurotic countries like China and Saudi Arabia, where access to information is controlled by a malevolent government, and curiosity can result in a jail sencence.

"By obtaining SafeWeb master cookies or session transcripts with our attacks, the censors have increased leverage: they learn not only who uses SafeWeb, but they also learn which sites the users wanted to secretly visit. Inspecting the cookie values might reveal identification numbers possibly keyed to memberships, subscriptions, commercial transactions, or even authentication codes."

Another serious problem is cross-frame access. The system uses frames, and normally it's impossible for Javascript to gain access to two or more frames from different domains. But because of the way a SafeWeb session attempts anonymity, the two frames originate from the same domain, rendering this irrelevant.

"It is clear that the SafeWeb architecture requires cross-frame access in JavaScript," the researchers say. [emphasis original]

Even in paranoid mode, where Javascript is restricted as much as possible, successful attacks have been documented. The authors say, and rightly so, that this comes from allowing statements not known to be dangerous, rather than denying all not known to be safe.

Thus there are a number of ways besides Javascript by which a Web site can 'reach' a surfer through a SafeWeb session.

For example, "Seemingly-simple HTML statements can induce the browser to launch plug-ins or child processes that bypass the anonymizer. For example, a computer with Adobe Acrobat installed will display PDF files directly within Internet Explorer. But SafeWeb doesn’t sanitize PDF files. So when a user clicks on a URL displayed within a PDF file, Acrobat will directly contact the named host, violating anonymity. Microsoft Office documents can leak information in the same way."

SafeWeb has since developed a patch and made it available to PrivaSec and their other licensees. The patch deals with Javascript, and basically allows it to be turned off while enabling the surfer to enjoy reasonable functionality. But it doesn't address the issue of launching documents such as Acrobat and Word in a browser session. So until we hear more, fetching documents is a definite no-no for the paranoid, and the oppressed. ®

Related Stories

SafeWeb ain't all that
Do-it-yourself Internet anonymity
Internet anonymity for Windows power users
Windows hack for Web-surfing privacy

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.