News

SafeWeb users vulnerable

Online privacy technology vendor SafeWeb warned of security gaps in its software that could put the users' identities at risk.

The flaws stem from the way the SafeWeb software handles JavaScript and its use of master cookies, which store cookie information from multiple sites.

Two researchers discovered the flaw; David Martin, a computer science professor at Boston University, and Andrew Schulman, a researcher at the Privacy Foundation. Martin and Schulman showed how they were able to trick a Web browser into divulging a user's IP address and cookie information. Political dissidents, consumers and government agencies use SafeWeb to protect their Web activity online.

"We have found that the SafeWeb service is seriously and fundamentally flawed," said Schulman. "Our paper documents spectacular failures of the service, based on extremely simple attacks."

SafeWeb was aware of the problems as early as last year, said co-founder and chief executive Stephen Hsu, but the company decided not to develop repairs after abandoning its consumer business and licensing its technology to PrivaSec in August.

PrivaSec chief executive Geoffrey Riggs acknowledged that "there are certain vulnerabilities to SafeWeb and SurfSecure secure surfing technology" and added that the company is working to develop patches. PrivaSec claimed that the "likelihood of such an attack on a user living in a free, non-politically-repressed society is relatively low."

Martin criticised this approach. "Frankly, I can't think of any other security system that is considered secure by nature of it being unlikely to be attacked," he said.

SafeWeb is used by thousands of politically oppressed people around the world to shield their Web activities.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy