Anonymizer.com May Silently Fail to Encrypt Back-end Connections in Certain Specific Cases
SecurityTracker Alert ID: 1006212|
SecurityTracker URL: http://securitytracker.com/id/1006212
(Links to External Site)
Date: Mar 4 2003
Disclosure of authentication information, Disclosure of system information, Disclosure of user information|
Vendor Confirmed: Yes |
A vulnerability was reported in Anonymizer.com. A connection from the Anonymizer proxy to the destination server may not, in certain cases, be encrypted.|
It is reported that when a remote user clicks on an HTTPS link within an encrypted page rendered by Anonymizer.com, the connection from the Anonymizer proxy to the selected destination server may not be encrypted if the destination HTTPS server has a certificate that does not validate to the popular certificate authorities. In this case, the proxy will connect to the regular (unencrypted) HTTP port. According to the report, no indication is provided to the remote user. The remote user's connection to the proxy will remain encrypted.
This behavior may occur when the destination server has a self-signed certificate, according to the vendor.
According to the author of the report, if a remote user connects manually and directly to the destination server's HTTPS URL (instead of clicking on a link), the back-end connection is secured.
A remote user's ostensibly protected web communications may not be encrypted between the Anonymizer and the destination HTTPS server.|
No solution was available at the time of this entry.|
Vendor URL: anonymizer.com/ (Links to External Site)
Access control error, State error|
Source Message Contents
Date: Tue, 18 Feb 2003 20:03:08 +0100|
Subject: [Full-Disclosure] anonymizer.com doesn't use ssl on target website
-----BEGIN PGP SIGNED MESSAGE-----
The member service of anonymizer.com may encrypt traffic between
the client-browser and anonymizer.com-proxy using SSL, but whenever
you click on a SSL-link (say <a href="https://target.com">)
anonymizer translates that into a non-ssl link of the same address
This results in unencrypted, spoofable traffic between the anonymizer-
proxy and the target website. As the contact with an ssl-encrypted
target-website does certainly contain sensitive information (why
should it be SSL-encrypted otherwise?), it's probably not a good
idea to use the member services of anonymizer.com IMO - at least
not on SSL-target-sites.
Vendor-support was contacted, but first ignored the impact of that
"That's fine... our service keeps your connection secure."
and then did not answer to the second email within five days.
That might be an indication that anonymizer.com is not very
security-oriented in other aspects also. (?)
Want hear Ancient Music In The Pines?
Must find remote. Must change channel.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.