JavaScript problems found in SafeWeb's service: http://www.politechbot.com/p-03134.html SafeWeb pledges to fix them: http://www.wired.com/news/ebiz/0,1272,50424,FF.html --- From: "Sandra Song" <sandraat_private> To: <declanat_private> Cc: <dmat_private>, "Ari Schwartz" <ariat_private> Subject: SafeWeb closes holes Date: Fri, 15 Feb 2002 12:47:48 -0800 Hello -- Just wanted to inform you that we have completed the patch we promised, and we have implemented the changes so that PrivaSec users can now turn off JavaScript on their browsers and still have some functionality when surfing the Web anonymously. This solves all problems pointed out in the paper by Martin and Schulman. Regards, ==================== Sandra Song Communications Director SafeWeb, Inc. (510) 601-8855 x108 sandraat_private <mailto:sandraat_private> --- From: "David Martin" <dmat_private> To: "Sandra Song" <sandraat_private> Cc: <declanat_private>, "Ari Schwartz" <ariat_private>, "Andrew Schulman" <undocat_private> Subject: RE: SafeWeb closes holes Date: Fri, 15 Feb 2002 17:26:31 -0500 Sandra, I'm sure your licensees will be pleased. Thanks for letting me know too. I thought you might decide to block JavaScript more thoroughly, either with a new configuration mode, or with an extra roundtrip like Anonymizer uses. That amounts to removing the JavaScript part of your "faithfulness" requirement, which was part of your claimed competitive advantage, as well as the enabler of most of the vulnerabilities that we described. I did notice that the vulnerability we noted in the last paragraph of our section 6.2 remains unaddressed. So this patch really doesn't fix all the vulnerabilities that we mentioned, although it does fix almost all of them. Are you planning to filter out PDFs, DOCs, etc., or are you leaving that up to your licensees to handle? Or are users supposed to know that some document types are not safe to click around in? Finally, I feel a need to distinguish between "problems" and "vulnerabilities". Your patch does address most of the vulnerabilities we mentioned, but it's a little misleading to say that this technical fix addresses all of the problems that we described. For example, it remains problematic that your FAQ stated that JavaScript was no privacy threat and that other companies were wrong in thinking so. Either you knew better than that or you should have. Our paper contains several other examples of problems with the security process along these lines, and such problems can't be addressed with a patch. Sincerely, David --- Date: Fri, 15 Feb 2002 18:40:58 -0800 From: Andrew Schulman <undocat_private> To: David Martin <dmat_private> Cc: Sandra Song <sandraat_private>, declanat_private, Ari Schwartz <ariat_private>, Andrew Schulman <undocat_private> Subject: Re: SafeWeb closes holes Hi Sandra, I had a couple of questions about the "closes holes" fix which I see has been put in place over at http://www.privasec.com. I know the SafeWeb company isn't really responsible for the PrivaSec site, but since that's the only way we have right now of testing the SafeWeb anonymizing technology, I'll refer below to PrivaSec: (1) How are users being informed that they need to turn off JavaScript in their browsers if they want to prevent some easily-launched (though hopefully uncommon) attacks by malicious parties? I didn't see anything at the PrivaSec site indicating the need to turn off JavaScript. What sort of communication is SafeWeb sending to its licensees regarding the possible need to turn off JavaScript when visiting some sites? (2) Does SafeWeb still "strongly recommend" that users have scripting turned on? (From SafeWeb's old FAQ: "SafeWeb strongly recommends that you turn on both JavaScript and cookies in your Web browser preferences, as they will substantially improve your SafeWeb browsing experience.") (3) I know you say that "This solves all problems pointed out in the paper by Martin and Schulman," but if I go to the newly-fixed PrivaSec site, keep scripting turned off in my browser, do a bit of safe browsing with PrivaSec/SafeWeb, then turn scripting back on, any subsequent site can still easily snarf all my cookies from the other sites I visited when scripting was turned off. The ability for any site someone visits, under SafeWeb's auspices, to see any cookies deposited by other sites, still strikes me as *nuts* for any security/privacy product. Can the product be fixed to get rid of this? (4) Okay, this one may seem like it falls in the "beating a dead horse" or "history is bunk" department, but: Would SafeWeb continue to maintain that its support for JavaScript was a major competitive advantage over Anonymizer.Com? For example, from an email Jon Chun sent me about a year ago: "While other web-based privacy services such as Anonymzier only rewrite HTML SafeWeb rewrites HTML, DHTML (including JavaScript, VBScript, CSS), Flash 3,4,5 and most Java. So yes, SafeWeb rewrites JavaScript code and many others as well so millions of rich websites like mtv, sony, hotmail, etrade, webvan work via SafeWeb even though they break via Anonymizer." Wouldn't these same sites now break under SafeWeb, with the "closes holes" fix in place? It seems to me a bit unfair that SafeWeb got to compete with Anonymizer on the basis of SafeWeb's support for JavaScript, when it now turns out that SafeWeb's support for JavaScript can apparently only be "fixed" by turning *off* JavaScript. I mean, really: SafeWeb says it supports JavaScript. We find the JavaScript support is easily attacked. SafeWeb responds with: "Users can turn off JavaScript. This fixes the problem." It's very "have your cake and eat it too" that SafeWeb could (in its salad days) have trumpeted how it supported JavaScript when its competitors didn't, and then when we find that its support for JavaScript was in fact quite poor, and that its competitors had good reasons for being far more cautious about JavaScript, the SafeWeb company now says "Oh, the problem is easy to fix. Users should just turn off JavaScript in their browsers." Talk about passive aggressive. I'd have hoped the company would have been big enough to just admit, "Yeah, our JavaScript support was a bad joke and we should never have released it. We knew it wouldn't withstand the simplest attack but we released it anyway because we figured no one would ever attack it." Anyway, that's my interpretation of this small incident. Thanks much, Andrew -- Andrew Schulman Software litigation consultant Chief Researcher, Workplace Surveillance Project, Privacy Foundation, US undocat_private http://www.privacyfoundation.org/workplace http://www.undoc.com phone 707-570-2058 cell 707-477-3766 --- ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 07:40:45 PST