SafeWeb users vulnerable


SafeWeb users vulnerable

Online privacy technology vendor SafeWeb warned of security gaps in its software that could put the users' identities at risk.

The flaws stem from the way the SafeWeb software handles JavaScript and its use of master cookies, which store cookie information from multiple sites.

Two researchers discovered the flaw; David Martin, a computer science professor at Boston University, and Andrew Schulman, a researcher at the Privacy Foundation. Martin and Schulman showed how they were able to trick a Web browser into divulging a user's IP address and cookie information. Political dissidents, consumers and government agencies use SafeWeb to protect their Web activity online.

"We have found that the SafeWeb service is seriously and fundamentally flawed," said Schulman. "Our paper documents spectacular failures of the service, based on extremely simple attacks."

SafeWeb was aware of the problems as early as last year, said co-founder and chief executive Stephen Hsu, but the company decided not to develop repairs after abandoning its consumer business and licensing its technology to PrivaSec in August.

PrivaSec chief executive Geoffrey Riggs acknowledged that "there are certain vulnerabilities to SafeWeb and SurfSecure secure surfing technology" and added that the company is working to develop patches. PrivaSec claimed that the "likelihood of such an attack on a user living in a free, non-politically-repressed society is relatively low."

Martin criticised this approach. "Frankly, I can't think of any other security system that is considered secure by nature of it being unlikely to be attacked," he said.

SafeWeb is used by thousands of politically oppressed people around the world to shield their Web activities.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy