COMMAND

    anonymous Web surfing services

SYSTEMS AFFECTED

    Anonymizer, Aixs, LPWA, etc.

PROBLEM

    Richard M. Smith found very  serious security holes in all  of the
    major  anonymous  Web  surfing  services  (Anonymizer, Aixs, LPWA,
    etc.).   These  security  holes   allow  a  Web  site  to   obtain
    information about users that the anonymizing services are  suppose
    to be  hiding.   This advisory  provides complete  details of  the
    problem  and  offers  a  simple  work-around  for  users until the
    security holes are fixed.  This is more of a browser/Java issue.

    The best known of these  services is the Anonymizer.   However all
    four  services  tested  (Anonymizer,  Bell  Labs,  Naval  Research
    Laboratory and Aixs) basically work in the same manner.  They  are
    intended to  hide information  from a  Web site  when visited by a
    user.   The  services  prevent  the  Web  site  from seeing the IP
    address,  host  computer  name,  and  cookies  of a user.  All the
    services act as proxies fetching  pages from Web sites instead  of
    users going directly to Web sites.  The services make the  promise
    that they don't pass private information along to Web sites.  They
    also do no logging of Web sites that have been visited.  Note that
    following was tested with Netscape 4.5.

    Unfortunately, it is  possible get all  four systems to  fail when
    using Netscape 4.5.  The most alarming failures occurred with  the
    Anonymizer and Aixs systems.  With the same small HTML page one is
    able to quietly turn off the anonymzing feature in both  services.
    Once this page runs, it quickly redirects to a regular Web page of
    the  Web  site.   Because  the  browser  is no longer in anonymous
    mode, IP  addresses and  cookies are  again sent  from the  user's
    browser to  all Web  servers.   This security  hole exists because
    both services fail to properly strip out embedded JavaScript  code
    in all cases from HTML pages.

    With  the  Bell  Labs  and  NRL  systems  it was found a different
    failure.  With a simple JavaScript expression one is able to query
    the IP address and host name  of the browser computer.  The  query
    can  be  done  by  calling  the  Java  InetAddress class using the
    LiveConnect feature  of Netscape  Navigator.   Once JavaScript has
    this information, it  can easily be  transmitted it back  to a Web
    server as part of  a URL.  A  demo on the use  of Java InetAddress
    class to fetch the browser IP  address and host name can be  found
    at:

        http://www.alcrypto.co.uk/java/

SOLUTION

    If you are a user of any these services, it is recommend that  you
    turn off JavaScript,  Java, and ActiveX  controls in your  browser
    before surfing the Web.   This simple precaution will prevent  any
    leaks of your IP address or cookies.