WASHINGTON -- SafeWeb's anonymous-surfing technology turns out not to be very safe after all.
A pair of researchers has unearthed flaws in the CIA-funded product that contradict the company's claims of "complete privacy" and reveal the supposedly confidential information of customers.
Founded in April 2000, SafeWeb marketed an advertising-supported service said to allow users to browse the Web anonymously. In interviews, SafeWeb CEO Jon Chun boasted that the technology had been "through the rigors of the CIA's stringent review process, which far exceeds those of the ordinary enterprise client."
Citing the economic downturn, SafeWeb abandoned the free service in November 2001. It has licensed its anonymizing technology to another company, PrivaSec, which currently offers the service for free and plans to charge for it soon.
In a paper (PDF) released on Tuesday, David Martin, a Boston University computer scientist, and Andrew Schulman of the Privacy Foundation say that SafeWeb's assertions were more hopeful than true.
They say, and SafeWeb has acknowledged, that flaws in the company's architecture allow a website to use JavaScript to obtain the concealed Internet address of the visitor. Because of SafeWeb's centralized technology, that page can also download a browser's cookies and obtain copies of subsequent Web pages visited during that session.
Even SafeWeb's "paranoid" mode doesn't fulfill its promise. "Paranoid mode is supposed to remove everything that's dangerous but it doesn't come close to removing everything," says Martin, a co-author of the paper.
SafeWeb, like other anonymizing technologies, works by allowing customers to connect to the safeweb.com or privasec.com servers. Those servers make the outgoing connection to the destination website, cloaking the customer's identity in the process.
In an interview, SafeWeb officials would not commit to fixing their product's bugs, even though the Martin-Schulman paper features example code that an attacker could use to invade the privacy of someone who relies on the technology. Martin tipped the firm off to the security holes last fall, and said he received no substantive response.
Chun, SafeWeb's CEO, said: "I'll have to look at what's involved here. I'll have to talk to our guys to see what would be involved in taking our (revised) JavaScript engine and giving it to PrivaSec."
SafeWeb's reluctance to bug-fix seems to be a product of the economic downturn: Because of the collapse of the advertising market, SafeWeb essentially stopped supporting its service and licensed it to PrivaSec. "The license to PrivaSec is probably in the thousands of dollars," Chun said. "It's more a question of us giving the technology to a good cause. It's not a major revenue stream."
While SafeWeb still operates the servers used by PrivaSec, it has turned its attention to trying to sell its SEA Tsunami extranet technology.
"Every anonymizing service has bugs," Chun said. "Let's start with that premise. Let's not single out SafeWeb as worse than anyone else. It's easy to say that we have more bugs because we do more things."
Lance Cottrell, president of rival anonymizer.com, acknowledges that glitches are inevitable in anonymizing services, but says all of his "have been fixed within 24 hours. When a bug comes along, we drop everything and fix it. That's the priority, all hands on deck. Always."
Currently, anonymizer.com filters out JavaScript for security reasons, but Cottrell said he will be launching a JavaScript-compatible version next month. "The first thing we did was (we) sat down and cracked SafeWeb nine ways from Wednesday," Cottrell says. "We developed a very clear understanding of what not to do and made very certain that there were no exploits."
"This is an example of what happens when the designers of the underlying system have a different security model from the designers of SafeWeb," says Simson Garfinkel, the author of Web Security, Privacy and Commerce. "The set of requirements to make a secure JavaScript implementation are different from the requirements required to secure SafeWeb."
Based in Emeryville, California, SafeWeb was an instant media darling after claiming in press releases (PDF) that its "patent-pending privacy technology" would allow customers to "surf the Web in complete privacy." It won a "Best of the Web" award from PC World and landed an investment from the CIA's venture capital arm, In-Q-Tel.
SafeWeb's Chun once claimed SafeWeb's security had been "through the rigors of the CIA's stringent review process," raising the possibility that the CIA knew about the security holes and allowed them to persist.
Stephen Hsu, chairman for SafeWeb, confirmed this. "They were aware of these capabilities but they did not deem it to be a threat," Hsu said.
