From: "William H. Geiger III" <whgiii@invweb.net>
Date: Wed, 26 Nov 1997 00:12:04 +0800
To: Adam Back <aba@dcs.ex.ac.uk>
Subject: Security Risks in HTTP Proxy Agents (Re: Anonymizer rocks! (Re: Anonymity at any cost, from The Netly News))
In-Reply-To: <199711251009.KAA01273@server.test.net>
Message-ID: <199711251534.KAA20197@users.invweb.net>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----

In <199711251009.KAA01273@server.test.net>, on 11/25/97 
   at 05:09 AM, Adam Back <aba@dcs.ex.ac.uk> said:

>Mikhael Frieden <mikhaelf@mindspring.com>
>> >Anonymity At Any Cost
>> >by Declan McCullagh (declan@well.com)
>> 
>> >        When Lance Cottrell created an easy-to-use anonymous e-mail service
>> >	back in 1994, he feared that nobody would use it. "I used to be
>> >	worried that people didn't want anonymity enough to pay for it,"
>> >	he says. Today his company, Infonex, boasts 3,000 customers who
>> >	pay $60 a year to browse the Web without leaving behind digital
>> >	footprints. 
>> 
>>         Making the cookie read only and erasing previous additions does the
>> same thing for free. Cottrell is PT Barnum speaking. 

>That's no where near what the anonymizer does for you.

Absolutly, I can't beleive that Mikhael is *that* clueless.

>For $60 Lance gives a years use of an SSL connection to an anonymizing
>web proxy.  That means as well as stripping out the cookies, browser
>type, and other identifying info -- it means that your IP# isn't even
>listed, and what's more passive snoops (eg snoopy Feds) of net traffic
>into and out of infonex might have a bit of problem figuring out who was
>accessing what under the cover of SSL.  

>(Modulo traffic analysis -- web traffic is patchy, pauses in transfer
>will show through the SSL layer, so you would probably be better off
>browsing the dodgy stuff at peak web usage times, for the cover traffic.)

>I think Lance's success with this is tremendously good for privacy, and
>it is also a positive to see that some people do care enough about
>privacy to pay for it.

I had posted awhile back when these HTTP proxies first appeared about some
inherent security risks with using them.

The biggest problem with any proxy agent is one of trust. When one looks
at what a proxy agent does one can see the scary potentials for abuse.
Lets take the example of the Evil Proxy agent at www.nsa.gov.

Case #1

- -- User connects to Evil Proxy sending a request for it to retreive a web
page. -- Evil Proxy Logs who is connecting, time, and what web pages they
are requesting. -- Evil then retrieves the web pages and transmits them to
the user. -- Evil Proxy processes log data periodically to check for
either Bad User or Bad Web Page usage and flags such activity for the
Lea's.

Case #2

- -- User connects to Evil Proxy sending a request for it to retreive a web
page. -- Evil Proxy Logs who is connecting, time, and what web pages they
are requesting. -- Evil Proxy finds that web page in Bad Web Page list.
- -- Evil Proxy returns a forged web page to the user rather than the page
that the user requested. (imagine such a proxy being set-up to flag any
pgp.zip file requests and returning pgp_nsa_spoof.zip instead.) -- Evil
Proxy processes log data periodically to check for either Bad User or Bad
Web Page usage and flags such activity for the Lea's.

Case #3 (This is theoretical as I am not sure it is possessable with
current browsers)

- -- User connects to Evil Proxy sending a request for it to retreive a web
page. -- Evil Proxy Logs who is connecting, time, and what web pages they
are requesting. -- Evil Proxy finds that User in Bad User list.
- -- Evil Proxy returns the requested web page but also returns an extra
file which is saved to the Users HD without his knowledge (imagine storing
some kiddie porn gif's on a political opponents computer). -- Evil Proxy
processes log data periodically to check for either Bad User or Bad Web
Page usage and flags such activity for the Lea's.

A less damming case but still troublesome would be where Evil Proxy was
being run by commercial interest rather than governmental:

Case #4 (Not much different than Case #1)

- -- User connects to Evil Proxy sending a request for it to retreive a web
page. -- Evil Proxy Logs who is connecting, time, and what web pages they
are requesting. -- Evil then retrieves the web pages and transmits them to
the user. -- Evil Proxy processes log data periodically and sells it to
whomever want's it (Lea's, Spamford, GM, Microsoft, ... ect).

I think that you can see that the security of HTTP Proxies is the same for
a single E-Mail remailer. The natural evolution for these proxies is to
use chaining and encryption in the same way e-mail is processed through
remailers.

- -- Chaining of Proxies
- -- Multiple Layers of Encryption with the inner most layer being
end-to-end encryption.

HTTP proxies are good but still have a long way to go.

- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://users.invweb.net/~whgiii
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html                        
- ---------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNHrvxo9Co1n+aLhhAQEZ2AP/XToQgVc9bgGZqupPUZUc14cXjiTLTYOn
tZFH8qy6fWnOyy6kz+zCZkn6R6rQ9nr7r1VTpVaYpA05hUzocO8YIDUBPlI6ZMBH
FJjFE/i3N4NK3IeS4w6nfDh1gV8OmHAB/oX++Fmv0zmLSFAgDDijHEf0LkrNkOTm
kwLlF+Pj8OY=
=hn/s
-----END PGP SIGNATURE-----