SafeWeb holes emerge, said fixed
It's possible, the researchers found, to learn more about a SafeWeb user's browsing history than that of an ordinary Netizen.
But wait, there's more. In order to maintain a user's pseudonymous identity, SafeWeb uses a 'master cookie' which, if kept independent of the user's own cookies, ought to provide a layer of pseudonymity.
While a Web site can't deposit its usual cookie on a user's machine during a SafeWeb session, the master cookie does accumulate a history of the user's browsing during the session -- a record of all the cookies he's been fed. This is fine so long as the site can't associate that data with the user, or access the cookie and alter its properties.
Unfortunately, the master cookie can be attacked, and a lot can be done besides reading it. It's possible to alter it, and in so doing downgrade a person's preferred mode from paranoid to recommended, for example, or to enable Java applets against the user's will.
This also has unpleasant implications for SafeWeb's goal of providing anonymity to surfers in neurotic countries like China and Saudi Arabia, where access to information is controlled by a malevolent government, and curiosity can result in a jail sencence.
"By obtaining SafeWeb master cookies or session transcripts with our attacks, the censors have increased leverage: they learn not only who uses SafeWeb, but they also learn which sites the users wanted to secretly visit. Inspecting the cookie values might reveal identification numbers possibly keyed to memberships, subscriptions, commercial transactions, or even authentication codes."
For example, "Seemingly-simple HTML statements can induce the browser to launch plug-ins or child processes that bypass the anonymizer. For example, a computer with Adobe Acrobat installed will display PDF files directly within Internet Explorer. But SafeWeb doesn’t sanitize PDF files. So when a user clicks on a URL displayed within a PDF file, Acrobat will directly contact the named host, violating anonymity. Microsoft Office documents can leak information in the same way."