TechTarget

SafeWeb users vulnerable

Online privacy technology vendor SafeWeb warned of security gaps in its software that could put the users' identities at risk.

Online privacy technology vendor SafeWeb warned of security gaps in its software that could put the users' identities at risk.

The flaws stem from the way the SafeWeb software handles JavaScript and its use of master cookies, which store cookie information from multiple sites.

Two researchers discovered the flaw; David Martin, a computer science professor at Boston University, and Andrew Schulman, a researcher at the Privacy Foundation. Martin and Schulman showed how they were able to trick a Web browser into divulging a user's IP address and cookie information. Political dissidents, consumers and government agencies use SafeWeb to protect their Web activity online.

"We have found that the SafeWeb service is seriously and fundamentally flawed," said Schulman. "Our paper documents spectacular failures of the service, based on extremely simple attacks."

SafeWeb was aware of the problems as early as last year, said co-founder and chief executive Stephen Hsu, but the company decided not to develop repairs after abandoning its consumer business and licensing its technology to PrivaSec in August.

PrivaSec chief executive Geoffrey Riggs acknowledged that "there are certain vulnerabilities to SafeWeb and SurfSecure secure surfing technology" and added that the company is working to develop patches. PrivaSec claimed that the "likelihood of such an attack on a user living in a free, non-politically-repressed society is relatively low."

Martin criticised this approach. "Frankly, I can't think of any other security system that is considered secure by nature of it being unlikely to be attacked," he said.

SafeWeb is used by thousands of politically oppressed people around the world to shield their Web activities.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close