Re: Serious security holes in web anonimyzing services

[jeremey () TERISA COM (Jeremey Barrett)]

On Tue, Apr 13, 1999 at 08:14:49PM +0200, Patrick Oonk wrote:
> From: "Richard M. Smith" <smiths () tiac net>
> Subject: Serious security holes in Web anonymizing services
> Date: Sun, 11 Apr 1999 19:23:25 -0400
> Newsgroups: comp.security.misc
> Organization: The Internet Access Company, Inc.
>
> I found very serious security holes in all of the major
> anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.).
> These security holes allow a Web site to obtain information about
> users that the anonymizing services are suppose to be hiding.  This
> message provides complete details of the problem and offers
> a simple work-around for users until the security holes are
> fixed.

(...)

> With the Bell Labs and NRL systems I found a different
> failure.  With a simple JavaScript expression I was
> able to query the IP address and host name of the
> browser computer.  The query was done by calling the
> Java InetAddress class using the LiveConnect feature
> of Netscape Navigator.  Once JavaScript has this
> information, it can easily be transmitted it back to a
> Web server as part of a URL.
>
> A demo on the use of Java InetAddress class to fetch
> the browser IP address and host name can be found at:
>
>    http://www.tiac.net/users/smiths/js/livecon/index.htm
>
> If you are a user of any these services, I highly recommend
> that you turn off JavaScript, Java, and ActiveX
> controls in your browser before surfing the Web.
> This simple precaution will prevent any leaks of
> your IP address or cookies.  I will be notifying all 4 vendors
> about these security holes and hopefully this same recommendation
> will be given to all users.

I'm sorry, but this just isn't a "hole" or "failure" in Onion Routing (which
I work on) or any other anonymizing service. It's a problem with
Javascript/Java and ActiveX. The fact is that browsers don't consider IP
addresses as private information, and IMO this needs to change, or at least
be optional.

I'll speak about Onion Routing since I don't know the Bell Labs system as
well. Onion Routing is designed to prevent traffic analysis. It is _not_
designed to prevent the client and server from communicating in any
particular fashion they choose. If the client wants to give its IP, name,
phone number, height, weight, or eye color to the server, that's its
business, it is not the business of Onion Routing. There are many cases
where one might want to share a real identity, or some pseudo-identity, with
a server, but not want anyone in between to know you were talking to that
server. Often this same functionality also prevents the server from knowing
anything about the client, but that is not a requirement of the system.

Onion Routing provides a network strongly resistant to traffic analysis in
the face of formidable attacks. It prevents anyone other than A and B from
knowing that A and B are communicating. It has nothing to do with what
information A shares with B.

That said, the Javascript thing is pretty annoying. This problem doesn't
affect just anonymizing-service users, it also affects anyone behind a
firewall or any sort of "internal network structure hiding" scheme. The fact
that it's transparent to the user is a major issue. This is one to take up
with the browser makers.

It would be possible to use an HTTP proxy to filter the Javascript, of
course, and that could be built into the Onion Routing proxy, but that's
only a band-aid hack, and doesn't solve the core problem.

Regards,
Jeremey.
--
Jeremey Barrett <jeremey () terisa com>
GPG fingerprint = 7BB2 E1F1 5559 3718 CE25 565A 8455 D60B 8FE8 B38F