SafeWeb Vulnerability - Fingerprinting Websites Using Traffic Analysis

["Andrew Hintz (Drew)" <mail.drew () overt org>]

SafeWeb Vulnerability
Fingerprinting Websites Using Traffic Analysis

===========
Overview
===========
SafeWeb's web anonymizing service is supposed to prevent outside
observers, such as a government, from observing the web surfing of
its users. It does this by encrypting the traffic between SafeWeb
and the user. I have discovered that by analyzing the amount of data
transferred to a user, it is possible to determine if a user is
viewing a certain website using SafeWeb. This attack can be used by
a government, such as the Chinese government, to monitor which of
its citizens are using SafeWeb to view seditious websites. SafeWeb
is partially funded by the CIA. SafeWeb's web anonymizing technology
has been recently licensed to PrivaSec.

===========
Details
===========
For details on the attack, please read my paper that's at:
http://guh.nu/projects/ta/safeweb/

===========
Code
===========
In my mind, you can't really have a good vulnerability announcement
without a matching exploit.  (just to um, show that it works... >:)
Get my code from
http://guh.nu/projects/ta/safeweb/fingerprint.pl

===========
Greetz
===========
Shout out to ghost.  word to your mom.  Oh yes, and the m4dn3ss
lives on.  How do you feel about that?

-- 
^Drew

http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--