Security Holes in Web Privacy Program

[InfoSec News <isn () c4i org>]

Forwarded from: "eric wolbrom, CISSP" <eric () shtech net>

http://finance.lycos.com/home/news/story.asp?story=27257112


By D. IAN HOPPER AP Technology Writer

WASHINGTON (AP) - A popular Internet privacy service that lets Web 
surfers visit sites anonymously has fixed several serious flaws, and 
now the service's founder is offering a reward to the finder of the 
bugs.

Bennett Haselton, an Internet filtering activist who runs the 
Peacefire Web site, found the problems with Anonymizer.com, a 
five-year-old service that shields users from tracking by Web sites 
and their Internet providers.

Haselton ``came up with a new way of exploiting (Web) standards,'' 
Anonymizer president Lance Cottrell explained Monday. ``They're 
pretty subtle.''

Many major commercial sites cringe when security researchers find a 
hole. But Anonymizer actually encourages it through a ``bug bounty.''

Haselton's reward: three free years of the Anonymizer service, which 
costs $50 a year. Cottrell said the offer stands for anyone else who 
can find security holes in the service.

``We are always actively soliciting people to attack it,'' Cottrell 
said. ``Trying to hide and keeping your head down is always the wrong 
answer.''

Ordinarily, Web sites collect lots of information about visitors, 
including the Internet address that can lead to a visitor's 
geographic location, as well as shopping habits and previous Web 
travels.

Anonymizer keeps the visitor's information secret by standing between 
the customer's Web browser and the desired Web site.

Customers can use Anonymizer through the company's Web site or with a 
downloadable program. The service allows Web users to keep personal 
information away from marketing sites, or to keep their bosses from 
seeing their Web surfing at work.

For example, a person could use Anonymizer's service to visit the 
FBI's tip site and offer information truly anonymously.

The methods Haselton developed, though, could be used on a Web site 
to determine where the visitor is really coming from and negate the 
effectiveness of Anonymizer.

Independent researchers who find security holes frequently get a cold 
reception from Web sites. Internet companies complain that the 
researchers are more interested in notoriety - the rush to release 
their find - than customer safety.

The battle between the two sides has prompted several security firms, 
along with Microsoft Corp., to advocate limited disclosure of 
security holes. This has brought even more controversy among security 
experts.

Cottrell said his company doesn't know of any Web sites that used 
Haselton's methods to defeat the privacy program.

``Our customers are very open with us,'' Cottrell said. ``I'm sure we 
would have heard about it.''



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.