On Tue, Apr 13, 1999 at 08:14:49PM +0200, Patrick Oonk wrote: > From: "Richard M. Smith" <smithsat_private> > Subject: Serious security holes in Web anonymizing services > Date: Sun, 11 Apr 1999 19:23:25 -0400 > Newsgroups: comp.security.misc > Organization: The Internet Access Company, Inc. > > I found very serious security holes in all of the major > anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.). > These security holes allow a Web site to obtain information about > users that the anonymizing services are suppose to be hiding. This > message provides complete details of the problem and offers > a simple work-around for users until the security holes are > fixed. (...) > > With the Bell Labs and NRL systems I found a different > failure. With a simple JavaScript expression I was > able to query the IP address and host name of the > browser computer. The query was done by calling the > Java InetAddress class using the LiveConnect feature > of Netscape Navigator. Once JavaScript has this > information, it can easily be transmitted it back to a > Web server as part of a URL. > > A demo on the use of Java InetAddress class to fetch > the browser IP address and host name can be found at: > > http://www.tiac.net/users/smiths/js/livecon/index.htm > > If you are a user of any these services, I highly recommend > that you turn off JavaScript, Java, and ActiveX > controls in your browser before surfing the Web. > This simple precaution will prevent any leaks of > your IP address or cookies. I will be notifying all 4 vendors > about these security holes and hopefully this same recommendation > will be given to all users. > I'm sorry, but this just isn't a "hole" or "failure" in Onion Routing (which I work on) or any other anonymizing service. It's a problem with Javascript/Java and ActiveX. The fact is that browsers don't consider IP addresses as private information, and IMO this needs to change, or at least be optional. I'll speak about Onion Routing since I don't know the Bell Labs system as well. Onion Routing is designed to prevent traffic analysis. It is _not_ designed to prevent the client and server from communicating in any particular fashion they choose. If the client wants to give its IP, name, phone number, height, weight, or eye color to the server, that's its business, it is not the business of Onion Routing. There are many cases where one might want to share a real identity, or some pseudo-identity, with a server, but not want anyone in between to know you were talking to that server. Often this same functionality also prevents the server from knowing anything about the client, but that is not a requirement of the system. Onion Routing provides a network strongly resistant to traffic analysis in the face of formidable attacks. It prevents anyone other than A and B from knowing that A and B are communicating. It has nothing to do with what information A shares with B. That said, the Javascript thing is pretty annoying. This problem doesn't affect just anonymizing-service users, it also affects anyone behind a firewall or any sort of "internal network structure hiding" scheme. The fact that it's transparent to the user is a major issue. This is one to take up with the browser makers. It would be possible to use an HTTP proxy to filter the Javascript, of course, and that could be built into the Onion Routing proxy, but that's only a band-aid hack, and doesn't solve the core problem. Regards, Jeremey. -- Jeremey Barrett <jeremeyat_private> GPG fingerprint = 7BB2 E1F1 5559 3718 CE25 565A 8455 D60B 8FE8 B38F
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:21 PDT