SafeWeb's anonymous-surfing technology is not that safe

Declan McCullagh declan at well.com
Tue Feb 12 17:40:02 EST 2002 

The Martin-Schulman paper:
http://www.cs.bu.edu/techreports/pdf/2002-003-deanonymizing-safeweb.pdf

PrivSec's free SafeWeb-licensed service: (username: demo, password: secure)
http://www.privasec.com/regusers/demolaunch.htm

---

http://www.wired.com/news/politics/0,1283,50371,00.html
   
   SafeWeb's Holes Contradict Claims
   By Declan McCullagh (declan at wired.com)
   12:35 p.m. Feb. 12, 2002 PST
   
   WASHINGTON -- SafeWeb's anonymous-surfing technology turns out not to
   be very safe after all.
   
   A pair of researchers has unearthed flaws in the CIA-funded product
   that contradict the company's claims of "complete privacy" and reveal
   the supposedly confidential information of customers.
   
   Founded in April 2000, SafeWeb marketed an advertising-supported
   service said to allow users to browse the Web anonymously. In
   interviews, SafeWeb CEO Jon Chun boasted that the technology had been
   "through the rigors of the CIA's stringent review process, which far
   exceeds those of the ordinary enterprise client."
   
   Citing the economic downturn, SafeWeb abandoned the free service in
   November 2001. It has licensed its anonymizing technology to another
   company, PrivaSec, which currently offers the service for free and
   plans to charge for it soon.
   
   In a paper (PDF) released on Tuesday, David Martin, a Boston
   University computer scientist, and Andrew Schulman of the Privacy
   Foundation say that SafeWeb's assertions were more hopeful than true.
   
   They say, and SafeWeb has acknowledged, that flaws in the company's
   architecture allow a website to use JavaScript to obtain the concealed
   Internet address of the visitor. Because of SafeWeb's centralized
   technology, that page can also download a browser's cookies and obtain
   copies of subsequent Web pages visited during that session.

   [...]



-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------


----- End forwarded message -----

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list