FC: SafeWeb's anonymous-surfing technology is not that safe

From: Declan McCullagh (declanat_private)
Date: Tue Feb 12 2002 - 14:36:43 PST

  • Next message: Declan McCullagh: "FC: Update on Digital Angel and human trials of implantable chips"

    The Martin-Schulman paper:
    http://www.cs.bu.edu/techreports/pdf/2002-003-deanonymizing-safeweb.pdf
    
    PrivSec's free SafeWeb-licensed service: (username: demo, password: secure)
    http://www.privasec.com/regusers/demolaunch.htm
    
    ---
    
    http://www.wired.com/news/politics/0,1283,50371,00.html
       
       SafeWeb's Holes Contradict Claims
       By Declan McCullagh (declanat_private)
       12:35 p.m. Feb. 12, 2002 PST
       
       WASHINGTON -- SafeWeb's anonymous-surfing technology turns out not to
       be very safe after all.
       
       A pair of researchers has unearthed flaws in the CIA-funded product
       that contradict the company's claims of "complete privacy" and reveal
       the supposedly confidential information of customers.
       
       Founded in April 2000, SafeWeb marketed an advertising-supported
       service said to allow users to browse the Web anonymously. In
       interviews, SafeWeb CEO Jon Chun boasted that the technology had been
       "through the rigors of the CIA's stringent review process, which far
       exceeds those of the ordinary enterprise client."
       
       Citing the economic downturn, SafeWeb abandoned the free service in
       November 2001. It has licensed its anonymizing technology to another
       company, PrivaSec, which currently offers the service for free and
       plans to charge for it soon.
       
       In a paper (PDF) released on Tuesday, David Martin, a Boston
       University computer scientist, and Andrew Schulman of the Privacy
       Foundation say that SafeWeb's assertions were more hopeful than true.
       
       They say, and SafeWeb has acknowledged, that flaws in the company's
       architecture allow a website to use JavaScript to obtain the concealed
       Internet address of the visitor. Because of SafeWeb's centralized
       technology, that page can also download a browser's cookies and obtain
       copies of subsequent Web pages visited during that session.
    
       [...]
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 14:36:44 PST