Re: Serious security holes in web anonimyzing

[cmw32 () CAM AC UK (Chris Wilson)]

Greetings,

On Sun, 11 Apr 1999, DaRk[V]0c wrote:
> Let's say you have a network and a firewall which links this network to
> the external world. In the anonymizer service, the proxy is OPTIONAL,
> that is, packets do not necessarily have to go trough the proxy. In a
> network-firewall case, packets MUST go trough the firewall. It's not
> phisically on logically possible that packets go around that. Therefore,
> the anonymizing service keeps still.

What you say about the capabilities of the firewall is true, in the sense
that the JavaScript exploits will reveal the firewall's address instead of
the user's address. However, the Java exploit will execute on the user's
machine, and hence know its IP address. This information CAN be passed
back through the firewall.

Many companies which use firewalls, also use non-routable addresses for
the machines protected by them (such as 192.168.*.*). Such information is
not very useful to a third party unless they can identify which network
(e.g. the firewall's address) the internal address belongs to. Firewall
address + user address is probably enough to identify an individual user
in this case.

However, from the descriptions of the exploits, the use of JavaScript (to
obtain the firewall address) and the use of Java (to obtain the client
address) appear to be mutually exclusive in some cases. In other cases, or
with other services, they are not exclusive and it would be possible to
obtain both.

In any case it is simply impossible to be completely anonymous on the
Internet, because packets must find some way to reach the client. The fact
that anonymising services do not keep logs of their users, makes tracing
significantly harder, but what if an anonymiser was hacked? The hacker
would make light work of identifying individual users. IMHO, nobody should
ever rely on being completely anonymous on the web.

I agree with the original poster that anonymising services should remove
all Java and JavaScript from all web pages. However, the way that these
services work, relies on certain assumptions which may not always be true.
A better way to run an anonymiser would be as a real proxy server, to
ensure that all web transactions were required to pass through it, but
this would be harder to configure and use.

Ciao, Chris.
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson <gcc () i am> Unix+Net+SQL+Java+RC5 |
/ (_ / ,\/ _/ /_ \ | Phone: England 01223 477360 (until June 1999) |
\__//_/_/_//_/___/ | Pager: England 07654 336007 (until I lose it) |