Return-Path: <sentto-279987-4467-1013752513-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 14 Feb 2002 22:16:10 -0800 (PST) Received: (qmail 16234 invoked by uid 510); 15 Feb 2002 05:55:27 -0000 Received: from n13.groups.yahoo.com (216.115.96.63) by all.net with SMTP; 15 Feb 2002 05:55:27 -0000 X-eGroups-Return: sentto-279987-4467-1013752513-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.163] by n13.groups.yahoo.com with NNFMP; 15 Feb 2002 05:37:31 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_2); 15 Feb 2002 05:55:13 -0000 Received: (qmail 20820 invoked from network); 15 Feb 2002 05:55:12 -0000 Received: from unknown (216.115.97.167) by m9.grp.snv.yahoo.com with QMQP; 15 Feb 2002 05:55:12 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.snv.yahoo.com with SMTP; 15 Feb 2002 05:55:12 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g1F6FCP08876 for iwar@onelist.com; Thu, 14 Feb 2002 22:15:12 -0800 Message-Id: <200202150615.g1F6FCP08876@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 14 Feb 2002 22:15:12 -0800 (PST) Subject: [iwar] [fc:Deanonymizing.SafeWeb.Users] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit In light of this post by Martin & Schulman on attacks against SafeWeb/PrivaSec, we thought we would release just a few examples of my own internal research to support their views on JavaScript and anonymous proxy systems over the last years. We have found that these attacks are not limited to SafeWeb. A rewrite engine alone will not cover every possible manipulation of JavaScript. Some attacks to support the Martin & Schulman paper include but are not limited to: Embedding JavaScript in VBScript using the execscript command (SafeWeb/PrivaSec & SiegeSoft) http://www.anonymizer.com/proxy_tests/vbscript2.html Missing uncommon functions such as document.replace (SiegeSoft) http://www.anonymizer.com/proxy_tests/siege_soft1.html Not recognizing the reset of form locations (SiegeSoft) http://www.anonymizer.com/proxy_tests/siege_soft2.html You can also use the SafeWeb/PrivaSec functions against themselves due to a scoping flaw http://www.anonymizer.com/proxy_tests/sw_test_2.html There are many more possibilities due to JavaScripts functionality as a language. Allowing JavaScript through a privacy protection system is a non-trivial task. Allowing JavaScript in general can be extremely dangerous. An individual only needs to look at the BugTraq postings over the last month by The Pull and many others to see its inherent dangers. By allowing JavaScript you are allowing other parties to execute their programs on your computer and placing full faith in them not to write anything harmful. Current Proxy systems that allow JavaScript and other scripting languages can not prevent all instances of these attacks. For instance, SafeWeb does not stop The Pull's file reading exploit. A proxy system can help to reduce these attacks but would not be able to give a 100% guarantee since they would be re-actionary to problems in browser software developed by other vendors. Anonymizer has always taken the approach not to release functionality until it has been sufficiently developed and proven reliable. It is this approach that prevented us from releasing an unsafe version of JavaScript functionality just to be the first one there. Anonymizer is in fact now completing development of a solution for allowing JavaScript while safely mitigating these risks through our proxy and will be releasing a public beta in Spring 2002. Note: The term "Anonymizer" is a trusted brand name and registered trademark of Anonymizer Inc. The term "Anonymizer" and similar words (such as anonymize or anonymizing) should not be used as generic descriptive terms for Web privacy technology. Peleus Uhley Senior Developer Anonymizer Inc. <a href="mailto:peleus@anonymizer.com?Subject=Re:%20Deanonymizing%20SafeWeb%20Users%2526In-Reply-To=%2526lt;Pine.LNX.4.10.10202131456270.21625-100000@rigel.cyberpass.net">peleus@anonymizer.com</a> ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sponsored by VeriSign - The Value of Trust Pinpoint the right security solution for your company - FREE Guide from industry leader VeriSign gives you all the facts. http://us.click.yahoo.com/pCuuSA/WdiDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST