SafeWeb Vulnerability Fingerprinting Websites Using Traffic Analysis =========== Overview =========== SafeWeb's web anonymizing service is supposed to prevent outside observers, such as a government, from observing the web surfing of its users. It does this by encrypting the traffic between SafeWeb and the user. I have discovered that by analyzing the amount of data transferred to a user, it is possible to determine if a user is viewing a certain website using SafeWeb. This attack can be used by a government, such as the Chinese government, to monitor which of its citizens are using SafeWeb to view seditious websites. SafeWeb is partially funded by the CIA. SafeWeb's web anonymizing technology has been recently licensed to PrivaSec. =========== Details =========== For details on the attack, please read my paper that's at: http://guh.nu/projects/ta/safeweb/ =========== Code =========== In my mind, you can't really have a good vulnerability announcement without a matching exploit. (just to um, show that it works... >:) Get my code from http://guh.nu/projects/ta/safeweb/fingerprint.pl =========== Greetz =========== Shout out to ghost. word to your mom. Oh yes, and the m4dn3ss lives on. How do you feel about that? -- ^Drew http://guh.nu --Begin PGP Fingerprint-- 3C6C F712 0A52 BD33 C518 5798 9014 CA99 2DA0 5E78 --End PGP Fingerprint--
This archive was generated by hypermail 2b30 : Fri May 10 2002 - 19:51:54 PDT