This is a multi-part message in MIME format. --------------67C94EAD81E791EB5B4220B0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sorry for the dual post, the first was html format. This is more of a browser/Java issue. This not only affects annon sevices but proxy/firewall services also!!! Toby Barrick Patrick Oonk wrote: > > From: "Richard M. Smith" <smithsat_private> > Subject: Serious security holes in Web anonymizing services > Date: Sun, 11 Apr 1999 19:23:25 -0400 > Newsgroups: comp.security.misc > Organization: The Internet Access Company, Inc. > > Hello, > > I found very serious security holes in all of the major > anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.). > These security holes allow a Web site to obtain information about > users that the anonymizing services are suppose to be hiding. This > message provides complete details of the problem and offers > a simple work-around for users until the security holes are > fixed. > > The April 8th issue of the New York Times has an article > by Peter H. Lewis in the Circuits section that describes > various types of services that allow people to anonymously > surf the Web. The article is entitled "Internet Hide and > Seek" and is available at the NY Times Web site: > > http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html > > (Note, this article can only viewed if you have a free > NY Times Web account.) > > The three services described in the article are: > > Anonymizer (http://www.anonymizer.com) > Bell Labs (http://www.bell-labs.com/project/lpwa) > Naval Research Laboratory (http://www.onion-router.net) > > In addition, I found a pointer to fourth service in a security > newsgroup: > > Aixs (http://aixs.net/aixs/) > > The best known of these services is the Anonymizer at > www.anonymizer.com. However all four services basically > work in the same manner. They are intended to hide > information from a Web site when visited by a user. The > services prevent the Web site from seeing the IP address, > host computer name, and cookies of a user. All the services act > as proxies fetching pages from Web sites instead of users > going directly to Web sites. The services make the promise > that they don't pass private information along to > Web sites. They also do no logging of Web sites that > have been visited. > > After reading the article, I was curious to find out how well > each of these services worked. In particular, I wanted to > know if it would be possible for a Web site to > defeat any of these systems. Unfortunately, with less > than an hour's worth of work, I was able to get all four > systems to fail when using Netscape 4.5. > > The most alarming failures occurred with the Anonymizer and Aixs > systems. With the same small HTML page I was able > to quietly turn off the anonymzing feature in both services. > Once this page runs, it quickly redirects to a regular > Web page of the Web site. Because the browser is no > longer in anonymous mode, IP addresses and cookies > are again sent from the user's browser to all Web servers. > This security hole exists because both services fail to properly > strip out embedded JavaScript code in all cases from HTML > pages. > > With the Bell Labs and NRL systems I found a different > failure. With a simple JavaScript expression I was > able to query the IP address and host name of the > browser computer. The query was done by calling the > Java InetAddress class using the LiveConnect feature > of Netscape Navigator. Once JavaScript has this > information, it can easily be transmitted it back to a > Web server as part of a URL. > > A demo on the use of Java InetAddress class to fetch > the browser IP address and host name can be found at: > > http://www.tiac.net/users/smiths/js/livecon/index.htm > > If you are a user of any these services, I highly recommend > that you turn off JavaScript, Java, and ActiveX > controls in your browser before surfing the Web. > This simple precaution will prevent any leaks of > your IP address or cookies. I will be notifying all 4 vendors > about these security holes and hopefully this same recommendation > will be given to all users. > > If you have any questions or comments, please send them via Email. > > Richard M. Smith > smithsat_private > > -- > Patrick Oonk - http://patrick.mypage.org/ - patrickat_private > Pine Internet B.V. Consultancy, installatie en beheer > Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ > -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- > Excuse of the day: bugs in the RAID --------------67C94EAD81E791EB5B4220B0 Content-Type: text/x-vcard; charset=us-ascii; name="tbarri.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Toby Barrick Content-Disposition: attachment; filename="tbarri.vcf" begin:vcard n:Barrick;Toby tel;cell:602-790-5438 tel;fax:602-753-6549 tel;home:602-496-6507 tel;work:602-766-3705 x-mozilla-html:TRUE url:http://www.americanexpress.com org:American Express;DIT adr:;;9630 N 25th Ave 4th Floor;Phoenix;AZ;85021;US version:2.1 email;internet:tbarri@amex-trs.com title:Internet Security note;quoted-printable:Home email:=0D=0Atbarrickat_private x-mozilla-cpt:24.1.209.79;30144 fn:Toby Barrick end:vcard --------------67C94EAD81E791EB5B4220B0--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:20 PDT