FC: SafeWeb fixes JavaScript problems -- but is that enough?

From: Declan McCullagh (declanat_private)
Date: Sat Feb 16 2002 - 07:45:40 PST

  • Next message: Declan McCullagh: "FC: Duncan Frissell on AAMVA, licenses as biometric smartcards"

    JavaScript problems found in SafeWeb's service:
    http://www.politechbot.com/p-03134.html
    
    SafeWeb pledges to fix them:
    http://www.wired.com/news/ebiz/0,1272,50424,FF.html
    
    ---
    
    From: "Sandra Song" <sandraat_private>
    To: <declanat_private>
    Cc: <dmat_private>, "Ari Schwartz" <ariat_private>
    Subject: SafeWeb closes holes
    Date: Fri, 15 Feb 2002 12:47:48 -0800
    
    Hello -- Just wanted to inform you that we have completed the patch we
    promised, and we have implemented the changes so that PrivaSec users
    can now turn off JavaScript on their browsers and still have some
    functionality when surfing the Web anonymously. This solves all
    problems pointed out in the paper by Martin and Schulman.
    
    Regards,
    ====================
    Sandra Song
    Communications Director
    SafeWeb, Inc.
    (510) 601-8855 x108
    sandraat_private <mailto:sandraat_private>
    
    ---
    
    From: "David Martin" <dmat_private>
    To: "Sandra Song" <sandraat_private>
    Cc: <declanat_private>, "Ari Schwartz" <ariat_private>,
    	"Andrew Schulman" <undocat_private>
    Subject: RE: SafeWeb closes holes
    Date: Fri, 15 Feb 2002 17:26:31 -0500
    
    Sandra,
    
    I'm sure your licensees will be pleased.  Thanks for letting me know too.  I
    thought you might decide to block JavaScript more thoroughly, either with a
    new configuration mode, or with an extra roundtrip like Anonymizer uses.
    That amounts to removing the JavaScript part of your "faithfulness"
    requirement, which was part of your claimed competitive advantage, as well
    as the enabler of most of the vulnerabilities that we described.
    
    I did notice that the vulnerability we noted in the last paragraph of our
    section 6.2 remains unaddressed.  So this patch really doesn't fix all the
    vulnerabilities that we mentioned, although it does fix almost all of them.
    Are you planning to filter out PDFs, DOCs, etc., or are you leaving that up
    to your licensees to handle?  Or are users supposed to know that some
    document types are not safe to click around in?
    
    Finally, I feel a need to distinguish between "problems" and
    "vulnerabilities".  Your patch does address most of the vulnerabilities we
    mentioned, but it's a little misleading to say that this technical fix
    addresses all of the problems that we described.  For example, it remains
    problematic that your FAQ stated that JavaScript was no privacy threat and
    that other companies were wrong in thinking so.  Either you knew better than
    that or you should have.  Our paper contains several other examples of
    problems with the security process along these lines, and such problems
    can't be addressed with a patch.
    
    Sincerely,
    David
    
    ---
    
    Date: Fri, 15 Feb 2002 18:40:58 -0800
    From: Andrew Schulman <undocat_private>
    To: David Martin <dmat_private>
    Cc: Sandra Song <sandraat_private>, declanat_private,
    	Ari Schwartz <ariat_private>, Andrew Schulman <undocat_private>
    Subject: Re: SafeWeb closes holes
    
    Hi Sandra,
    
    I had a couple of questions about the "closes holes" fix which I see
    has been put in place over at http://www.privasec.com. I know the
    SafeWeb company isn't really responsible for the PrivaSec site, but
    since that's the only way we have right now of testing the SafeWeb
    anonymizing technology, I'll refer below to PrivaSec:
    
    (1) How are users being informed that they need to turn off JavaScript
    in their browsers if they want to prevent some easily-launched (though
    hopefully uncommon) attacks by malicious parties? I didn't see
    anything at the PrivaSec site indicating the need to turn off
    JavaScript. What sort of communication is SafeWeb sending to its
    licensees regarding the possible need to turn off JavaScript when
    visiting some sites?
    
    (2) Does SafeWeb still "strongly recommend" that users have scripting
    turned on?
    
    (From SafeWeb's old FAQ: "SafeWeb strongly recommends that you turn on
    both JavaScript and cookies in your Web browser preferences, as they
    will substantially improve your SafeWeb browsing experience.")
    
    (3) I know you say that "This solves all problems pointed out in the
    paper by Martin and Schulman," but if I go to the newly-fixed PrivaSec
    site, keep scripting turned off in my browser, do a bit of safe
    browsing with PrivaSec/SafeWeb, then turn scripting back on, any
    subsequent site can still easily snarf all my cookies from the other
    sites I visited when scripting was turned off. The ability for any
    site someone visits, under SafeWeb's auspices, to see any cookies
    deposited by other sites, still strikes me as *nuts* for any
    security/privacy product. Can the product be fixed to get rid of this?
    
    (4) Okay, this one may seem like it falls in the "beating a dead
    horse" or "history is bunk" department, but:
    
    Would SafeWeb continue to maintain that its support for JavaScript was
    a major competitive advantage over Anonymizer.Com? For example, from
    an email Jon Chun sent me about a year ago: "While other web-based
    privacy services such as Anonymzier only rewrite HTML SafeWeb rewrites
    HTML, DHTML (including JavaScript, VBScript, CSS), Flash 3,4,5 and
    most Java.  So yes, SafeWeb rewrites JavaScript code and many others
    as well so millions of rich websites like mtv, sony, hotmail, etrade,
    webvan work via SafeWeb even though they break via Anonymizer."
    
    Wouldn't these same sites now break under SafeWeb, with the "closes
    holes" fix in place? It seems to me a bit unfair that SafeWeb got to
    compete with Anonymizer on the basis of SafeWeb's support for
    JavaScript, when it now turns out that SafeWeb's support for
    JavaScript can apparently only be "fixed" by turning *off* JavaScript.
    
    I mean, really: SafeWeb says it supports JavaScript. We find the
    JavaScript support is easily attacked. SafeWeb responds with: "Users
    can turn off JavaScript. This fixes the problem."
    
    It's very "have your cake and eat it too" that SafeWeb could (in its
    salad days) have trumpeted how it supported JavaScript when its
    competitors didn't, and then when we find that its support for
    JavaScript was in fact quite poor, and that its competitors had good
    reasons for being far more cautious about JavaScript, the SafeWeb
    company now says "Oh, the problem is easy to fix. Users should just
    turn off JavaScript in their browsers." Talk about passive
    aggressive. I'd have hoped the company would have been big enough to
    just admit, "Yeah, our JavaScript support was a bad joke and we should
    never have released it. We knew it wouldn't withstand the simplest
    attack but we released it anyway because we figured no one would ever
    attack it."
    
    Anyway, that's my interpretation of this small incident.
    
    Thanks much,
    Andrew
    
    --
    Andrew Schulman
    Software litigation consultant
    Chief Researcher, Workplace Surveillance Project, Privacy Foundation, US
    undocat_private
    http://www.privacyfoundation.org/workplace
    http://www.undoc.com
    phone 707-570-2058
    cell 707-477-3766
    
    ---
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 07:40:45 PST