Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: SafeWeb fixes JavaScript problems -- but is that enough?

From: Declan McCullagh <declan () well com>
Date: Sat, 16 Feb 2002 10:45:40 -0500
JavaScript problems found in SafeWeb's service:
http://www.politechbot.com/p-03134.html

SafeWeb pledges to fix them:
http://www.wired.com/news/ebiz/0,1272,50424,FF.html

---

From: "Sandra Song" <sandra () safeweb com>
To: <declan () wired com>
Cc: <dm () cs bu edu>, "Ari Schwartz" <ari () cdt org>
Subject: SafeWeb closes holes
Date: Fri, 15 Feb 2002 12:47:48 -0800

Hello -- Just wanted to inform you that we have completed the patch we
promised, and we have implemented the changes so that PrivaSec users
can now turn off JavaScript on their browsers and still have some
functionality when surfing the Web anonymously. This solves all
problems pointed out in the paper by Martin and Schulman.

Regards,
====================
Sandra Song
Communications Director
SafeWeb, Inc.
(510) 601-8855 x108
sandra () safeweb com <mailto:sandra () safeweb com>

---

From: "David Martin" <dm () cs bu edu>
To: "Sandra Song" <sandra () safeweb com>
Cc: <declan () wired com>, "Ari Schwartz" <ari () cdt org>,
        "Andrew Schulman" <undoc () sonic net>
Subject: RE: SafeWeb closes holes
Date: Fri, 15 Feb 2002 17:26:31 -0500

Sandra,

I'm sure your licensees will be pleased.  Thanks for letting me know too.  I
thought you might decide to block JavaScript more thoroughly, either with a
new configuration mode, or with an extra roundtrip like Anonymizer uses.
That amounts to removing the JavaScript part of your "faithfulness"
requirement, which was part of your claimed competitive advantage, as well
as the enabler of most of the vulnerabilities that we described.

I did notice that the vulnerability we noted in the last paragraph of our
section 6.2 remains unaddressed.  So this patch really doesn't fix all the
vulnerabilities that we mentioned, although it does fix almost all of them.
Are you planning to filter out PDFs, DOCs, etc., or are you leaving that up
to your licensees to handle?  Or are users supposed to know that some
document types are not safe to click around in?

Finally, I feel a need to distinguish between "problems" and
"vulnerabilities".  Your patch does address most of the vulnerabilities we
mentioned, but it's a little misleading to say that this technical fix
addresses all of the problems that we described.  For example, it remains
problematic that your FAQ stated that JavaScript was no privacy threat and
that other companies were wrong in thinking so.  Either you knew better than
that or you should have.  Our paper contains several other examples of
problems with the security process along these lines, and such problems
can't be addressed with a patch.

Sincerely,
David

---

Date: Fri, 15 Feb 2002 18:40:58 -0800
From: Andrew Schulman <undoc () sonic net>
To: David Martin <dm () cs bu edu>
Cc: Sandra Song <sandra () safeweb com>, declan () wired com,
        Ari Schwartz <ari () cdt org>, Andrew Schulman <undoc () sonic net>
Subject: Re: SafeWeb closes holes

Hi Sandra,

I had a couple of questions about the "closes holes" fix which I see
has been put in place over at http://www.privasec.com. I know the
SafeWeb company isn't really responsible for the PrivaSec site, but
since that's the only way we have right now of testing the SafeWeb
anonymizing technology, I'll refer below to PrivaSec:

(1) How are users being informed that they need to turn off JavaScript
in their browsers if they want to prevent some easily-launched (though
hopefully uncommon) attacks by malicious parties? I didn't see
anything at the PrivaSec site indicating the need to turn off
JavaScript. What sort of communication is SafeWeb sending to its
licensees regarding the possible need to turn off JavaScript when
visiting some sites?

(2) Does SafeWeb still "strongly recommend" that users have scripting
turned on?

(From SafeWeb's old FAQ: "SafeWeb strongly recommends that you turn on
both JavaScript and cookies in your Web browser preferences, as they
will substantially improve your SafeWeb browsing experience.")

(3) I know you say that "This solves all problems pointed out in the
paper by Martin and Schulman," but if I go to the newly-fixed PrivaSec
site, keep scripting turned off in my browser, do a bit of safe
browsing with PrivaSec/SafeWeb, then turn scripting back on, any
subsequent site can still easily snarf all my cookies from the other
sites I visited when scripting was turned off. The ability for any
site someone visits, under SafeWeb's auspices, to see any cookies
deposited by other sites, still strikes me as *nuts* for any
security/privacy product. Can the product be fixed to get rid of this?

(4) Okay, this one may seem like it falls in the "beating a dead
horse" or "history is bunk" department, but:

Would SafeWeb continue to maintain that its support for JavaScript was
a major competitive advantage over Anonymizer.Com? For example, from
an email Jon Chun sent me about a year ago: "While other web-based
privacy services such as Anonymzier only rewrite HTML SafeWeb rewrites
HTML, DHTML (including JavaScript, VBScript, CSS), Flash 3,4,5 and
most Java.  So yes, SafeWeb rewrites JavaScript code and many others
as well so millions of rich websites like mtv, sony, hotmail, etrade,
webvan work via SafeWeb even though they break via Anonymizer."

Wouldn't these same sites now break under SafeWeb, with the "closes
holes" fix in place? It seems to me a bit unfair that SafeWeb got to
compete with Anonymizer on the basis of SafeWeb's support for
JavaScript, when it now turns out that SafeWeb's support for
JavaScript can apparently only be "fixed" by turning *off* JavaScript.

I mean, really: SafeWeb says it supports JavaScript. We find the
JavaScript support is easily attacked. SafeWeb responds with: "Users
can turn off JavaScript. This fixes the problem."

It's very "have your cake and eat it too" that SafeWeb could (in its
salad days) have trumpeted how it supported JavaScript when its
competitors didn't, and then when we find that its support for
JavaScript was in fact quite poor, and that its competitors had good
reasons for being far more cautious about JavaScript, the SafeWeb
company now says "Oh, the problem is easy to fix. Users should just
turn off JavaScript in their browsers." Talk about passive
aggressive. I'd have hoped the company would have been big enough to
just admit, "Yeah, our JavaScript support was a bad joke and we should
never have released it. We knew it wouldn't withstand the simplest
attack but we released it anyway because we figured no one would ever
attack it."

Anyway, that's my interpretation of this small incident.

Thanks much,
Andrew

--
Andrew Schulman
Software litigation consultant
Chief Researcher, Workplace Surveillance Project, Privacy Foundation, US
undoc () sonic net
http://www.privacyfoundation.org/workplace
http://www.undoc.com
phone 707-570-2058
cell 707-477-3766

---



-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: