I am not sure it afects firewalls and proxy servers in some cases. Let's say you have a network and a firewall which links this network to the external world. In the anonymizer service, the proxy is OPTIONAL, that is, packets do not necessarily have to go trough the proxy. In a network-firewall case, packets MUST go trough the firewall. It's not phisically on logically possible that packets go around that. Therefore, the anonymizing service keeps still. I made these considerations based on what I know from computer networks. I may be absolutely wrong and if that is the case, please correct it. v0c. Toby Barrick wrote: > > Sorry for the dual post, the first was html format. > > This is more of a browser/Java issue. This not only affects annon > sevices but proxy/firewall services also!!! > > Toby Barrick > > Patrick Oonk wrote: > > > > From: "Richard M. Smith" <smithsat_private> > > Subject: Serious security holes in Web anonymizing services > > Date: Sun, 11 Apr 1999 19:23:25 -0400 > > Newsgroups: comp.security.misc > > Organization: The Internet Access Company, Inc. > > > > Hello, > > > > I found very serious security holes in all of the major > > anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.). > > These security holes allow a Web site to obtain information about > > users that the anonymizing services are suppose to be hiding. This > > message provides complete details of the problem and offers > > a simple work-around for users until the security holes are > > fixed. > > > > The April 8th issue of the New York Times has an article > > by Peter H. Lewis in the Circuits section that describes > > various types of services that allow people to anonymously > > surf the Web. The article is entitled "Internet Hide and > > Seek" and is available at the NY Times Web site: > > > > http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html > > > > (Note, this article can only viewed if you have a free > > NY Times Web account.) > > > > The three services described in the article are: > > > > Anonymizer (http://www.anonymizer.com) > > Bell Labs (http://www.bell-labs.com/project/lpwa) > > Naval Research Laboratory (http://www.onion-router.net) > > > > In addition, I found a pointer to fourth service in a security > > newsgroup: > > > > Aixs (http://aixs.net/aixs/) > > > > The best known of these services is the Anonymizer at > > www.anonymizer.com. However all four services basically > > work in the same manner. They are intended to hide > > information from a Web site when visited by a user. The > > services prevent the Web site from seeing the IP address, > > host computer name, and cookies of a user. All the services act > > as proxies fetching pages from Web sites instead of users > > going directly to Web sites. The services make the promise > > that they don't pass private information along to > > Web sites. They also do no logging of Web sites that > > have been visited. > > > > After reading the article, I was curious to find out how well > > each of these services worked. In particular, I wanted to > > know if it would be possible for a Web site to > > defeat any of these systems. Unfortunately, with less > > than an hour's worth of work, I was able to get all four > > systems to fail when using Netscape 4.5. > > > > The most alarming failures occurred with the Anonymizer and Aixs > > systems. With the same small HTML page I was able > > to quietly turn off the anonymzing feature in both services. > > Once this page runs, it quickly redirects to a regular > > Web page of the Web site. Because the browser is no > > longer in anonymous mode, IP addresses and cookies > > are again sent from the user's browser to all Web servers. > > This security hole exists because both services fail to properly > > strip out embedded JavaScript code in all cases from HTML > > pages. > > > > With the Bell Labs and NRL systems I found a different > > failure. With a simple JavaScript expression I was > > able to query the IP address and host name of the > > browser computer. The query was done by calling the > > Java InetAddress class using the LiveConnect feature > > of Netscape Navigator. Once JavaScript has this > > information, it can easily be transmitted it back to a > > Web server as part of a URL. > > > > A demo on the use of Java InetAddress class to fetch > > the browser IP address and host name can be found at: > > > > http://www.tiac.net/users/smiths/js/livecon/index.htm > > > > If you are a user of any these services, I highly recommend > > that you turn off JavaScript, Java, and ActiveX > > controls in your browser before surfing the Web. > > This simple precaution will prevent any leaks of > > your IP address or cookies. I will be notifying all 4 vendors > > about these security holes and hopefully this same recommendation > > will be given to all users. > > > > If you have any questions or comments, please send them via Email. > > > > Richard M. Smith > > smithsat_private > > > > -- > > Patrick Oonk - http://patrick.mypage.org/ - patrickat_private > > Pine Internet B.V. Consultancy, installatie en beheer > > Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ > > -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- > > Excuse of the day: bugs in the RAID
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:32 PDT