[ISN] Security Holes in Web Privacy Program

From: InfoSec News (isnat_private)
Date: Wed May 22 2002 - 01:42:22 PDT

  • Next message: InfoSec News: "Re: [ISN] Re: UNSUBSCRIBE isn "Jay D. Dyson" <jdysonat_private>"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    
    http://finance.lycos.com/home/news/story.asp?story=27257112
    
    
    By D. IAN HOPPER AP Technology Writer
    
    WASHINGTON (AP) - A popular Internet privacy service that lets Web 
    surfers visit sites anonymously has fixed several serious flaws, and 
    now the service's founder is offering a reward to the finder of the 
    bugs.
    
    Bennett Haselton, an Internet filtering activist who runs the 
    Peacefire Web site, found the problems with Anonymizer.com, a 
    five-year-old service that shields users from tracking by Web sites 
    and their Internet providers.
    
    Haselton ``came up with a new way of exploiting (Web) standards,'' 
    Anonymizer president Lance Cottrell explained Monday. ``They're 
    pretty subtle.''
    
    Many major commercial sites cringe when security researchers find a 
    hole. But Anonymizer actually encourages it through a ``bug bounty.''
    
    Haselton's reward: three free years of the Anonymizer service, which 
    costs $50 a year. Cottrell said the offer stands for anyone else who 
    can find security holes in the service.
    
    ``We are always actively soliciting people to attack it,'' Cottrell 
    said. ``Trying to hide and keeping your head down is always the wrong 
    answer.''
    
    Ordinarily, Web sites collect lots of information about visitors, 
    including the Internet address that can lead to a visitor's 
    geographic location, as well as shopping habits and previous Web 
    travels.
    
    Anonymizer keeps the visitor's information secret by standing between 
    the customer's Web browser and the desired Web site.
    
    Customers can use Anonymizer through the company's Web site or with a 
    downloadable program. The service allows Web users to keep personal 
    information away from marketing sites, or to keep their bosses from 
    seeing their Web surfing at work.
    
    For example, a person could use Anonymizer's service to visit the 
    FBI's tip site and offer information truly anonymously.
    
    The methods Haselton developed, though, could be used on a Web site 
    to determine where the visitor is really coming from and negate the 
    effectiveness of Anonymizer.
    
    Independent researchers who find security holes frequently get a cold 
    reception from Web sites. Internet companies complain that the 
    researchers are more interested in notoriety - the rush to release 
    their find - than customer safety.
    
    The battle between the two sides has prompted several security firms, 
    along with Microsoft Corp., to advocate limited disclosure of 
    security holes. This has brought even more controversy among security 
    experts.
    
    Cottrell said his company doesn't know of any Web sites that used 
    Haselton's methods to defeat the privacy program.
    
    ``Our customers are very open with us,'' Cottrell said. ``I'm sure we 
    would have heard about it.''
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed May 22 2002 - 04:12:07 PDT