Bugtraq mailing list archives
Re: Serious security holes in web anonimyzing services
From: jeremey () TERISA COM (Jeremey Barrett)
Date: Tue, 13 Apr 1999 23:56:25 -0500
On Tue, Apr 13, 1999 at 08:14:49PM +0200, Patrick Oonk wrote:
From: "Richard M. Smith" <smiths () tiac net> Subject: Serious security holes in Web anonymizing services Date: Sun, 11 Apr 1999 19:23:25 -0400 Newsgroups: comp.security.misc Organization: The Internet Access Company, Inc. I found very serious security holes in all of the major anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.). These security holes allow a Web site to obtain information about users that the anonymizing services are suppose to be hiding. This message provides complete details of the problem and offers a simple work-around for users until the security holes are fixed.
(...)
With the Bell Labs and NRL systems I found a different failure. With a simple JavaScript expression I was able to query the IP address and host name of the browser computer. The query was done by calling the Java InetAddress class using the LiveConnect feature of Netscape Navigator. Once JavaScript has this information, it can easily be transmitted it back to a Web server as part of a URL. A demo on the use of Java InetAddress class to fetch the browser IP address and host name can be found at: http://www.tiac.net/users/smiths/js/livecon/index.htm If you are a user of any these services, I highly recommend that you turn off JavaScript, Java, and ActiveX controls in your browser before surfing the Web. This simple precaution will prevent any leaks of your IP address or cookies. I will be notifying all 4 vendors about these security holes and hopefully this same recommendation will be given to all users.
I'm sorry, but this just isn't a "hole" or "failure" in Onion Routing (which I work on) or any other anonymizing service. It's a problem with Javascript/Java and ActiveX. The fact is that browsers don't consider IP addresses as private information, and IMO this needs to change, or at least be optional. I'll speak about Onion Routing since I don't know the Bell Labs system as well. Onion Routing is designed to prevent traffic analysis. It is _not_ designed to prevent the client and server from communicating in any particular fashion they choose. If the client wants to give its IP, name, phone number, height, weight, or eye color to the server, that's its business, it is not the business of Onion Routing. There are many cases where one might want to share a real identity, or some pseudo-identity, with a server, but not want anyone in between to know you were talking to that server. Often this same functionality also prevents the server from knowing anything about the client, but that is not a requirement of the system. Onion Routing provides a network strongly resistant to traffic analysis in the face of formidable attacks. It prevents anyone other than A and B from knowing that A and B are communicating. It has nothing to do with what information A shares with B. That said, the Javascript thing is pretty annoying. This problem doesn't affect just anonymizing-service users, it also affects anyone behind a firewall or any sort of "internal network structure hiding" scheme. The fact that it's transparent to the user is a major issue. This is one to take up with the browser makers. It would be possible to use an HTTP proxy to filter the Javascript, of course, and that could be built into the Onion Routing proxy, but that's only a band-aid hack, and doesn't solve the core problem. Regards, Jeremey. -- Jeremey Barrett <jeremey () terisa com> GPG fingerprint = 7BB2 E1F1 5559 3718 CE25 565A 8455 D60B 8FE8 B38F
Current thread:
- Re: ICQ Webserver bug Ronald A. Jarrell (Apr 06)
- <Possible follow-ups>
- Re: ICQ Webserver bug José Reyes Cedeño (Apr 08)
- Re: ICQ Webserver bug Kaven Rousseau (Apr 08)
- Re: ICQ Webserver bug Frank Dekervel (Apr 10)
- ARP problem in Windows9X/NT Joel Jacobson (Apr 12)
- Re: ARP problem in Windows9X/NT gandalf () POBOX COM (Apr 12)
- Re: ARP problem in Windows9X/NT kay (Apr 13)
- Re: ARP problem in Windows9X/NT kay (Apr 13)
- Serious security holes in web anonimyzing services Patrick Oonk (Apr 13)
- Re: Serious security holes in web anonimyzing services Jeremey Barrett (Apr 13)
- Re: ARP problem in Windows9X/NT route () RESENTMENT INFONEXUS COM (Apr 13)
- Re: ARP problem in Windows9X/NT gandalf () POBOX COM (Apr 13)
- Re: ARP problem in Windows9X/NT route () RESENTMENT INFONEXUS COM (Apr 13)
- Re: ARP problem in Windows9X/NT Alan DeKok (Apr 13)
- Re: ARP problem in Windows9X/NT Joseph Gooch (Apr 14)
- Re: ARP problem in Windows9X/NT gandalf () POBOX COM (Apr 15)
- Possible WU-ftpd Worm ? Stu Alchor (Apr 13)
- Re: Possible WU-ftpd Worm ? Gregory A Lundberg (Apr 14)
- Re: Possible WU-ftpd Worm ? Gregory Newby (Apr 14)
- Re: Possible WU-ftpd Worm ? M.Brands (Apr 14)