In
Murphy’s Law and Computer Security [59], Venema described how early users of the “booby
trap” feature of the TCP wrapper defense system might have been more vulnerable
than those who didn’t use TCP wrappers at all.
This paper gives a contemporary example of this effect in the computer
privacy realm: we show how the SafeWeb anonymizing service can be turned into a
weapon against its users by malicious third parties, and how this weapon can
inflict more damage on some of them than would have been possible if they had
never encountered SafeWeb.
Unfortunately, the problems we describe do not seem to admit an easy fix
consistent with SafeWeb’s design requirements.
The SafeWeb anonymizing service was designed to let users
disguise their visits to Web sites so that nearby firewalls would not notice
the visits, and so the Web sites could not identify who was visiting them. Our findings allow malicious firewalls or
Web sites to quietly undermine SafeWeb’s anonymity properties by tricking a SafeWeb
user’s browser into identifying itself.
In response, the user’s browser reveals not only its IP address, but may
also reveal all of the persistent cookies previously established through the
SafeWeb service. The adversary can
also modify the SafeWeb code running on its victim’s browser so that it
receives copies of all of the pages subsequently visited by the SafeWeb user
during that browser session.
Ordinary Web browsers are susceptible to such extreme
privacy violations only in the presence of serious browser bugs. Vendors usually treat such bugs as urgent
problems and try to fix them very quickly.
But the SafeWeb problems are no mere bugs: they are symptoms of incompatible
design decisions. The exploits
described here are not complicated; the authors spent only 3-4 days developing
the attacks. Programmers experienced in
networking and Web technologies should be able to produce them at a similar
pace.
The SafeWeb company has been aware of these
vulnerabilities since May 2001, and possibly earlier, but did not acknowledge
them publicly until February 2002. The
SafeWeb FAQ [43] went so far as to say that claims about privacy
threats from JavaScript – which are central to our attacks – were simply false
and that JavaScript by design prevents any privacy abuses (see Figure 1). Meanwhile,
the mainstream press enthusiastically embraced the SafeWeb service [5,25,34,55]. Thus, most
SafeWeb users have had no reason to suspect that the service might put them at
any unusual risk.
|
How does SafeWeb tackle JavaScript?
There have been numerous claims, mainly by privacy
companies, that JavaScript by itself is very dangerous to your privacy, and
that pages containing JavaScript should not be allowed through their privacy
servers. These claims are false.
JavaScript is no more "dangerous" than HTML.
By design, JavaScript was limited in its feature set to prevent any abuse of
your computer or privacy. Therefore, it is harder to make JavaScript code
secure than it is to secure HTML, but it is certainly not impossible.
SafeWeb analyzes all JavaScript code that passes through
our servers and sanitizes it so that you can maintain your normal browsing
habits while still remaining safe from prying eyes. The same is true for
VBScript.
|
Figure 1: Excerpt from SafeWeb FAQ, October
2001
To mount these attacks, an adversary must lure a SafeWeb
user to a Web page under the adversary’s control. The Web page does not have to be located at the adversary’s Web
site: using cross-site scripting vulnerabilities [6, 33,49,52], the adversary only needs to lure the victim to a
particular URL on one of many vulnerable Web sites. The attacker also needs to control a Web or equivalent server
somewhere in order to receive the sensitive data.
We proceed with some background in Section 2. In Sections 3 and 4 we describe the SafeWeb
design. In Section 5 we describe our
attacks and related threats, and we discuss possible remedies in Section
6. We give pointers to related work in
Section 7 and discuss the impact of our attacks in Section 8. In Section 9 we summarize some responses to
our attacks. We conclude in Section 10.
2. Background
The promise of anonymizing services is, for better or
worse, to keep user IP addresses out of routinely collected log files. This
might help opponents of oppressive regimes, it might help someone for whom the
phrase “right to privacy” equates to surfing porn at work, or it might help
planners of terrorist attacks. (Although in practice, a plain old Hotmail
account seems to be the tool of choice for al-Qaida [31].)
The SafeWeb anonymizing service was the first offering of
SafeWeb Inc., a privately held company founded in April 2000 and based in
Emeryville, CA. Partners and investors
in the SafeWeb effort include the Voice of America (the U.S.’s foreign
propaganda service) [41], and In-Q-Tel, a C.I.A.-funded venture capital firm
[40].
The company launched its anonymizing service in October 2000. By March 2001, they considered it the “the
most widely used online privacy service in the world” [44]. SafeWeb
licensed its anonymizing technology to PrivaSec LLC as part of that firm’s
planned subscription privacy service in August 2001 [45]. By October, SafeWeb was serving over 3,000,000 page
views per day. The following month,
SafeWeb suspended free public access to the service, citing financial
constraints [28]. Then in a
December 2001 press release, they wrote that they were considering
reestablishing the service, possibly on a subscription model [42].
Although SafeWeb’s particular advertising-supported
privacy service was gone at the time this paper was completed, its technology
lives on, and we continue to refer to it primarily as SafeWeb. Our attacks can currently be witnessed
through a technology preview program at PrivaSec’s Web site [36].
The SafeWeb service was designed to offer two main
benefits to its users: censorship avoidance and anonymization.
Censorship avoidance requirement. SafeWeb’s
censorship avoidance is meant to help people avoid content blocking systems
that normally restrict their activities.
The two main types of blockers are national censors and corporate
security managers, both of whom control firewalls that enforce their
policies. Censorship avoidance in this
context means encrypting the content so that it will pass through the content
blocking system intact. (An obvious censor response is to block access to the
SafeWeb service. SafeWeb countered with
its “Triangle Boy” system to hide its own IP address from the censors [39],
but this is unlikely to be the last word in this arms race; see Section 7 for pointers to other approaches.) Users concerned
with censorship avoidance consider their adversary to be located close to their
own computer and may not perceive any threat from the Web sites they want to
visit.
Anonymity requirement. SafeWeb’s anonymization
benefits users who wish to conceal their identities from the Web sites they
visit. This notion of “identity” is not
precisely defined, but it certainly includes the user’s IP addresses and
cookies at unrelated Web sites. Anonymity can also be considered a sort of
second order censorship avoidance, for when censorship initially fails to keep
illicit works off of the market, it can still effectively reduce access by
intimidating authors and readers. For
example, the Directorate for Mail Censorship in Romania under Ceausescu
collected handwriting and typewriter samples from its population for this
purpose [35].
In support of these primary goals, SafeWeb also observed
these auxiliary requirements, which have the effect of making the SafeWeb
service accessible to a very large user base:
Faithfulness requirement. The service should reproduce the sites visited by the user as
faithfully as possible. Specifically,
it should sanitize and support most content types, even cookies and
JavaScript.
Usability requirement. A service that is not fast will not get used, nor will one (such
as PGP 5.0 [63]) that is too complex for the target market. So the service must have quick response time
and overall ease of use.
No-mods requirement. Many of the intended users of the system are not free to install
software or even reconfigure their Web browsers; furthermore, they may not have
the technical skills required to do so even if it were permitted. Visitors to public facilities (e.g., cyber
cafés and libraries) should be able to use the service, as should corporate
employees who are not allowed to customize their computers.
Figure 2 contains a schematic diagram of SafeWeb’s
technology. Their service is
implemented through a URL-based content rewriting engine. In order to “safely” visit the page http://www.bu.edu,
a user requests a URL such as https://www.safeweb.
com/o/_o(410):_win(1):_i:http://www.bu.edu.
A simple form at the SafeWeb site automatically performs this
transformation for the user. This is
consistent with the no-mods requirement.
Given this transformed URL, the user’s Web browser builds
an SSL connection to safeweb.com. Since
SSL encryption hides the URL request from intervening censors, this implements
the censorship avoidance requirement.
Behind the scenes, SafeWeb obtains the page http://www.bu.edu,
sanitizes it, and returns it to the user.
This step comprises the anonymity requirement, since the Web site
merely sees a request for data from the SafeWeb site and not the user’s own
computer. SafeWeb manipulates the
user’s browser display to make the resulting page appear to come from http://www.bu.edu
(thus contributing to faithfulness).
But internally, the user’s Web browser considers it an SSL page
delivered from safeweb.com.
Sanitization is the crucial operation in realizing
faithfulness without violating anonymity.
The page requested by the user is likely to contain URL references to
other Web content such as embedded images, hyperlinks, cascading style sheets,
frames, etc. S
