Deanonymizing users of the Safeweb anonymizing service

Proceedings of the 11th USENIX Security Symposium

Volumn , Issue , 2002, Pages

  Martin, David ^a   Schulman, Andrew ^b  

^a BOSTON UNIVERSITY   (United States)

^b NONE   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

JAVASCRIPT; ONLINE PRIVACY; SPECIALIZED SOFTWARE; WEB SERVERS;

COMPUTER SYSTEM FIREWALLS;

EID: 85084162493     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (64)

1. Anurag Acharya and Mandar Raje. MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications. Proceedings of the 9th USENIX Security Symposium, August 2000. http://www.usenix.org/publications/library/proceedings/sec2000/acharya.html
2. Anonymizer.com Web Anonymizing service. http://www.anonymizer.com/
3. Oliver Berthold, Hannes Federrath, and Stefan Köpsell. Web MIXes: A System for Anonymous and Unobservable Internet Access. In [13], pp. 115-129. http://www.inf.tu-dresden.de/~hf2/publ/2001/BeFK2001BerkeleyLNCS2009.pdf
4. Phillipe Boucher, Adam Shostack, and Ian Goldberg. Freedom System 2.0 Architecture. http://www.cs.mcgill.ca/~splinter/Freedom_System_2_Architecture.pdf
5. Seán Captain. In Kim Zetter (ed.), “Best of the Web 2001.” PCWorld.com, August 2001. http://www.pcworld.com/features/article/0,aid,52705,pg,2,00.asp
6. CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests. February 2000. http://www.cert.org/advisories/CA-2000-02.html
7. Jon Chun. “SafeWeb ‘Paranoid’ Sanitization kills JS bugs.” Usenet post to alt.privacy.anon-server, May 7, 2001. Message-ID: <3af72cfa.25210490@news. pacbell.net>
8. Ian Clarke, Oscar Sandberg, Brandon Wiley, and Theodore W. Hong. Freenet: A Distributed Anonymous Information Storage and Retrieval System. In [13], pp. 46-66. http://freenet.sourceforge.net/
9. Matt Curtin. Developing Trust: Online Privacy and Security, Case Study #1: Centralization Unexpectedly Erodes Privacy. pp. 140-154, Apress, December 2001.
10. Roger Dingledine, Michael J. Freedman, and David Molnar. The Free Haven Project: Distributed Anonymous Storage Service. In [13], pp. 67-95. http://freehaven.net/
11. Amerithrax: Seeking Information. FBI Web page, January 2002. http://www.fbi.gov/majcases/anthrax/amerithraxlinks.htm
12. Nick Feamster, Magdalena Balazinska, Greg Harfst, and Hari Balakrishnan. Infranet: Circumventing Web Censorship and Surveillance. Proceedings of the 11th USENIX Security Symposium, August 2002.
13. Hannes Federrath (Ed.). Designing Privacy Enhancing Technologies, Proc. Workshop on Design Issues in Anonymity and Unobservability. LNCS vol. 2009, Springer-Verlag, 2001.
14. Edward W. Felten and Michael A. Schneider. Timing Attacks on Web Privacy. Proceedings of ACM Conference on Computer and Communications Security, November 2000. http://www.cs.princeton.edu/sip/pub/webtiming.pdf
15. David Flanagan. JavaScript: The Definitive Guide (3rd ed.). O’Reilly & Associates, 1998.
16. Michael J. Freedman, Emil Sit, Josh Cates, and Robert Morris. Introducing Tarzan, A Peer-to-Peer Anonymizing Network Layer. Proceedings of 1st Intl. Workshop on Peer-to-Peer Systems, Cambridge, MA, March 2002. http://pdos.lcs.mit.edu/tarzan/papers.html
17. Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster. Dos and Don’ts of Client Authentication on the Web. Proceedings of the 10th USENIX Security Symposium, August 2001. http://www.usenix.org/publications/library/proceedings/sec01/fu.html
18. Li Gong, Marianne Mueller, Hemma Prafullchandra, and Roland Schemers. Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2. Proceedings of the USENIX Symposium on Internet Technologies and Systems, December 1997. http://www.usenix.org/publications/library/proceedings/usits97/full_papers/gong/gong.pdf
19. Thomas C. Greene. “SafeWeb Ain’t All That.” The Register, October 18, 2001. http://www.theregister.co.uk/content/archive/22331.html
20. Georgi Guninski. “Hotmail security hole - injecting JavaScript in IE using ‘@import url(http://host/hostile.css)’.” Usenet post to comp.lang.javascript, April 24, 2000. Message-ID: <8e1ils$f2u$1@nnrp1.deja.com>
21. Ethan Gutmann. “Who Lost China’s Internet?” The Daily Standard, February 15, 2002. http://www.weeklystandard.com/Content/Public/Articles/000/000/000/922dgmtd.asp
22. Andrew Hintz. Fingerprinting Websites Using Traffic Analysis. Proceedings of the 2nd Workshop on Privacy Enhancing Technologies, Springer LNCS, April 2002. To appear. http://guh.nu/projects/ta/safeweb/
23. Illinois Institute of Technology Research Institute. Independent Review of the Carnivore System – Final Report. December 8, 2000. http://www.epic.org/privacy/carnivore/carniv_final.pdf
24. David M. Kristol and Lou Montulli. HTTP State Management Mechanism. RFC 2965, October 2000. http://www.ietf.org/rfc/rfc2965.txt
25. Jennifer 8. Lee. “Punching Holes in Internet Walls.” New York Times, April 26, 2001. http://www.nytimes.com/2001/04/26/technology/26SAFE.html
26. Peter H. Lewis. “Peekaboo! Anonymity is Not Always Secure.” New York Times, April 15, 1999. http://www.nytimes.com/library/tech/99/04/circuits/articles/15pete.html
27. Major Malfunction and Ben Laurie. Java/Netscape/MSIE Cache Exploit. January 1997. http://www.alcrypto.co.uk/java/.
28. Gwendolyn Mariano. “SafeWeb Sidelines Anonymity for Security.” CNET News.com, November 19, 2001. http://news.cnet.com/news/0-1005-2007924173.html
29. David M. Martin Jr., Sivaramakrishnan Rajagopalan, and Aviel D. Rubin. Blocking Java Applets at the Firewall. Proceedings of the 1997 Internet Society Symposium on Network and Distributed System Security. http://www.cs.bu.edu/techreports/pdf/1996-026-java-firewalls.pdf
30. Microsoft Developer Network articles Q261188 and Q273903, regarding spurious SSL warnings in IE. http://support.microsoft.com/
31. Expert: Reid’s Bombs Very Explosive.” MSNBC.com, January 21, 2002. (Includes statements regarding use of e-mail by al Qaida terrorists.)
32. Netscape Corporation. “Persistent Client State HTTP Cookies.” Original specification, 1995. http://home.netscape.com/newsref/std/cookie_spec.html
33. “Obscure.” “Web Browsers vulnerable to the Extended HTML Form Attack.” February 6, 2002. http://eyeonsecurity.net/advisories/multple-webbrowsers-vulnerable-to-extended-form-attack.htm
34. David Orenstein. “With Liberty and Justice (and Political Dissent and Pornography) for All.” Business 2.0, December 2001. http://www.business2.com/articles/mag/0,1640,35075,FF.html
35. John Pike. Department of State Security (Departamentul Securitatii Statului - Securitate) – Romanian Intel. Federation of American Scientists Intelligence Resource Program, 1998. http://www.fas.org/irp/world/romania/securitate.htm
36. PrivaSec LLC Web site. http://www.privasec.com/
37. Michael K. Reiter and Aviel D. Rubin. “Crowds: Anonymity for Web Transactions.” ACM Transactions on Information and System Security 1(1):66–92, 1998. http://www.research.att.com/projects/crowds/
38. Paul Rubin. “Re: Hiding our IP.” Usenet post to alt.privacy.anon-server, May 6, 2001. Message-ID: <7xn18rt0lz.fsf@ruckus.brouhaha .com>
39. “Chinese Government Attempts to Block Access to SafeWeb.” SafeWeb Press Release, March 13, 2001. http://www.safeweb.com/pr_china.html
40. “In-Q-Tel Commissions SafeWeb for Internet Privacy Technology.” SafeWeb Press Release, February 14, 2001. http://www.safeweb.com/pr_inqtel.html
41. “SafeWeb and Voice of America Form Alliance to Free the Internet in China.” SafeWeb Press Release, September 17, 2001. http://www.safeweb.com/pr_voa.html
42. “SafeWeb Considers Restoring Online Consumer Privacy Service.” SafeWeb Press Release, December 10, 2001. http://www.safeweb.com/pr_revisits.html
43. SafeWeb FAQ Web page. 2001. (No longer active)
44. SafeWeb History Web page. 2002. (No longer active)
45. “SafeWeb Joins With PrivaSec to Provide Secure Surfing Component of Consumer Privacy Package.” SafeWeb Press Release, August 14, 2001. http://www.safeweb.com/pr_privasec.html
46. Andrew Schulman. “Computer and Internet Surveillance in the Workplace.” July 12, 2001. http://www.sonic.net/~undoc/survtech.htm
47. Andrew Schulman. “The ‘Boss Button’ Updated: Web Anonymizers vs. Employee Monitoring.” Privacy Foundation, April 24, 2001. http://www.privacyfoundation.org/workplace/technology/tech_show.asp?id=63&action=0
48. SiegeSurfer Anonymizing Service. 2002. http://www.siegesoft.com/.
49. Mark Slemko. “Microsoft Passport to Trouble.” November 2, 2001. http://alive.znep.com/~marcs/passport/
50. Richard M. Smith and David M. Martin Jr. “Email Wiretapping.” Privacy Foundation, February 2001. http://www.privacyfoundation.org/privacywatch/report.asp?id=54&action=0
51. Richard M. Smith. “Problems with Web Anonymizing Services.” April 15, 1999. http://www.computerbytesman.com/anon/anonprob.htm
52. Bob Sullivan. “Citibank Payment Service Said Flawed.” MSNBC.com, January 7, 2002.
53. Sun Microsystems. “Chronology of security-related bugs and issues.” 2002. http://java.sun.com/sfaq/chronology.html.
54. Paul Syverson, David M. Goldschlag, and Michael G. Reed. Anonymous Connections and Onion Routing. Proceedings of the IEEE Symposium on Security and Privacy, 44–54, Oakland, California, May 1997. http://www.onion-router.net/
55. Bob Tedeschi. “Privacy vs. Profits.” Ziff Davis Smart Business, September 12, 2001. http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2811883-1,00.html
56. Tmome. “Secure connection but still getting the ‘This page contains both secure and nonsecure items’ prompt.” Usenet post to microsoft.public.windows.inetexplorer.ie6.browser, November 16, 2001. Message-ID: <#L3ctDvbBHA.1900@tkmsftngp04>
57. Mark Twain. The Tragedy of Pudd’nhead Wilson. 1894. http://etext.lib.virginia.edu/railton/wilson/pwhompg.html
58. Peleus Uhley. Post to Bugtraq mailing list, February 13, 2002. Message-ID:
59. Wietse Venema. Murphy’s Law and Computer Security. Proceedings of the Sixth Usenix Security Symposium, July 1996. http://ftp.porcupine.org/pub/security/murphy.ps.gz.
60. Dan Verton. “Study: CIA’s In-Q-Tel ‘worth the risk’.” ComputerWorld, August 7, 2001. http://www.computerworld.com/storyba/0,4125,NAV47_STO62881,00.html
61. Marc Waldman and David Mazieres. Tangler: A Censorship Resistant Publishing System Based On Document Entanglements. Proceedings of the 8th ACM Conference on Computer and Communcation Security, November 2001. http://www.cs.nyu.edu/~waldman/tangler.ps
62. Marc Waldman, Aviel D. Rubin, and Lorrie Faith Cranor. Publius: A Robust, Tamper-evident, Censorship-resistant, Web Publishing System. Proceedings of the 9th USENIX Security Symposium, pp. 59-72, August 2000. http://publius.cdt.org/
63. Alma Whitten and J.D. Tygar. Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. Proceedings of the Eighth Usenix Security Symposium, August 1999. http://www-2.cs.cmu.edu/~alma/johnny.pdf
64. Alexander K. Yezhov. “Anonymous Access? Not Quite Yet.” Usenet post to alt.hackers.malicious, June 15, 2001. Message-ID: <9WpW6.125799$Be4.39212751@news3.rdc1.on.home.com>