Anonymous Web Surfing? Uh-Uh http://www.wired.com/news/news/technology/story/19091.html by Chris Oakes People who think they're cruising the Web in a stealth vehicle may find that their license plates are still showing. "Anonymizer" services admit that their attempts to protect individual Web identities aren't bulletproof, but say that browsing technologies should share the blame. Programmer Richard Smith, who has a history of poking holes in supposedly secure software programs, tested four anonymizer Web services and came away unimpressed. On Monday, Smith said that results revealed a variety of data leaks, causing him to worry that users might browse with a false sense of security. "I was surprised that companies who are in the computer security business have systems that are so easy to break," he said. "Even more surprising is that four vendors had a problem, not just one." The leaks provide clues to a user's identification, such as a numerical Internet, or IP, address. "I found very serious security holes in all of the major anonymous Web surfing services," Smith said. "These security holes allow a Web site to obtain information about users that the anonymizing services are supposed to be hiding." Representatives of the services acknowledge that security lapses occur, but argue that the browsing software is as much to blame as they are. They're quick to add that they patch holes when they can. Smith tested the Anonymizer [ http://www.anonymizer.com/3.0/index.shtml ], Aixs [ http://aixs.net/aixs/ ], the Lucent Personalized Web Assistant http://www.bell-labs.com/project/lpwa/ ], and a US Navy-sponsored research project called the Onion Routing service [ http://www.onion-router.net/ ]. Although the characteristics of each service vary, they primarily use data-stripping and proxy-masking techniques to conceal key data that browser software can leave behind. The Anonymizer recently announced an anonymous forwarding service to help safeguard the identity of those filing unofficial and uncensored email reports from the fighting in Kosovo http://www.wired.com/news/news/politics/story/18765.html ]. The main purpose of all four services, though, is to keep a user's identity safe from the prying eyes of Web-site operators by preventing them from obtaining an IP address, a host computer's name, or browser cookies that tip off a return visit to a site. To hide these details, most services act as a kind of Web waystation between browsers and sites. The anonymizing services retrieve Web pages and deliver them to users instead of users fetching them directly. An operator at one service says that the weaknesses Smith points out are not entirely the fault of the anonymizer. Flaws in the software must take some blame, too. Using a test HTML page containing simple JavaScript code -- which could be posted on a site seeking to sniff out a user's identity -- Smith was able to quietly turn off the anonymizing feature in the Anonymizer and Aixs systems. No longer anonymous, the user's browser will resume the delivery of IP addresses and cookies to a Web site. Smith says that's due to the services failing to consistently filter embedded JavaScript code from a site's HTML code. Anonymizer CEO Lance Cottrell said that the company is responding to Smith's alert. But he said that to exploit the vulnerability, a site would have to be actively seeking to do so. "In any case, being bounced out of the Anonymizer would only show that the person had been there, but would not allow correlation with any postings," Cottrell said, adding that no anonymizer system can promise perfectly sealed identity. "The systems we are working with are simply too flexible, and allow things to be done in too many ways, for security to be perfect. We try to anticipate all the loopholes we can, then act like lightning when a unforeseen hole is reported." Attempts to reach representatives at the Aixs service were unsuccessful. With the Lucent Personalized Web Assistant and Onion Routing service, Smith found a different type of problem. "With a simple JavaScript expression, I was able to query the IP address and host name of the browser computer." Once JavaScript has this information, he said it can easily be transmitted it back to a Web server as part of a URL. He said that the same tests run with Internet Explorer 4.0 did not produce the same vulnerabilities. Jeremey Barrett, an engineer for the Onion Routing System, said that the problem lies with the browsers, not with anonymizer services like his. Browsers, he said, will surrender a user's IP address to sites that request it with JavaScript or ActiveX code. Browser manufacturers have released patches periodically as issues surrounding the acknowledged risks of executing JavaScript and ActiveX code have surfaced. "The only way to prevent this, regardless of the anonymizing system used, is to filter out the JavaScript code using some form of proxy," said Barrett. He also said that Onion Routing is not simply an anonymizer meant to keep an individual site from knowing who's visiting. "Rather, it's meant to prevent anyone else from knowing that you are talking to a particular Web server." "For example, you might log into your bank's Web site over the Onion Routing system. You would very definitely want the bank to know who you were, but you might not want anyone to know you were talking to your bank." For airtight Web browsing, any feature beyond basic HTML would have to be turned off in the browser; that's the nature of the approach taken by the Anonymizer as it strips out such code. Smith would like to see any anonymizer service provide both the proxy and the standard anonymizing service that strips data from a user's browsing trail. Meanwhile, anonymizing services should warn their users and fix the bugs. "Netscape should fix how it handles Java so that it doesn't leak people's IP address. This bug does not exist in IE4," Smith said. He reported the problem to Netscape last September http://www.wired.com/news/news/technology/story/15285.html ], but said that the company still hasn't provided a fix. Copyright � 1994-99 Wired Digital Inc. --------------------------------NOTICE:------------------------------ ISPI Clips are news & opinion articles on privacy issues from all points of view; they are clipped from local, national and international newspapers, journals and magazines, etc. Inclusion as an ISPI Clip does not necessarily reflect an endorsement of the content or opinion by ISPI. In compliance with Title 17 U.S.C. section 107, this material is distributed free without profit or payment for non-profit research and educational purposes only. --------------------------------------------------------------------------- The Institute for the Study of Privacy Issues (ISPI) is a small contributor-funded organization based in Victoria, British Columbia (Canada). For a membership contribution/fee form with postal instructions please send the following message "ISPI Contribution Form" to [EMAIL PROTECTED] . We maintain a strict privacy policy. Any information you divulge to ISPI is kept in strict confidence. It will not be sold, lent or given away to any third party. [ baru di onshop -> stampede linux, turbo linux 3.0.1, mandrake 5.3, ] [ freebsd 3.1 , cheapbytes linux archives, cheapbytes rpm galore's ] ====================================================================== berhenti dari milis hackerlink : [EMAIL PROTECTED] peraturan pada milis hackerlink : [EMAIL PROTECTED] arsip milis ini : http://www.mail-archive.com/[email protected]
