From: Declan McCullagh (declan@well.com) To: politech@politechbot.com Date: Tue, 12 Feb 2002 17:36:43 -0500 Subject: FC: SafeWeb's anonymous-surfing technology is not that safe The Martin-Schulman paper: http://www.cs.bu.edu/techreports/pdf/2002-003-deanonymizing-safeweb.pdf PrivSec's free SafeWeb-licensed service: (username: demo, password: secure) http://www.privasec.com/regusers/demolaunch.htm --- http://www.wired.com/news/politics/0,1283,50371,00.html SafeWeb's Holes Contradict Claims By Declan McCullagh (declan@wired.com) 12:35 p.m. Feb. 12, 2002 PST WASHINGTON -- SafeWeb's anonymous-surfing technology turns out not to be very safe after all. A pair of researchers has unearthed flaws in the CIA-funded product that contradict the company's claims of "complete privacy" and reveal the supposedly confidential information of customers. Founded in April 2000, SafeWeb marketed an advertising-supported service said to allow users to browse the Web anonymously. In interviews, SafeWeb CEO Jon Chun boasted that the technology had been "through the rigors of the CIA's stringent review process, which far exceeds those of the ordinary enterprise client." Citing the economic downturn, SafeWeb abandoned the free service in November 2001. It has licensed its anonymizing technology to another company, PrivaSec, which currently offers the service for free and plans to charge for it soon. In a paper (PDF) released on Tuesday, David Martin, a Boston University computer scientist, and Andrew Schulman of the Privacy Foundation say that SafeWeb's assertions were more hopeful than true. They say, and SafeWeb has acknowledged, that flaws in the company's architecture allow a website to use JavaScript to obtain the concealed Internet address of the visitor. Because of SafeWeb's centralized technology, that page can also download a browser's cookies and obtain copies of subsequent Web pages visited during that session. [...]