Anonymizer.com May Silently Fail to Encrypt Back-end Connections in Certain Specific Cases
|
|
SecurityTracker Alert ID: 1006212 |
|
SecurityTracker URL: http://securitytracker.com/id/1006212
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 4 2003
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Anonymizer.com. A connection from the Anonymizer proxy to the destination server may not, in certain cases, be encrypted.
It is reported that when a remote user clicks on an HTTPS link within an encrypted page rendered by Anonymizer.com, the connection from the Anonymizer proxy to the selected destination server may not be encrypted if the destination HTTPS server has a certificate that does not validate to the popular certificate authorities. In this case, the proxy will connect to the regular (unencrypted) HTTP port. According to the report, no indication is provided to the remote user. The remote user's connection to the proxy will remain encrypted.
This behavior may occur when the destination server has a self-signed certificate, according to the vendor.
According to the author of the report, if a remote user connects manually and directly to the destination server's HTTPS URL (instead of clicking on a link), the back-end connection is secured.
|
Impact:
A remote user's ostensibly protected web communications may not be encrypted between the Anonymizer and the destination HTTPS server.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: anonymizer.com/ (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 18 Feb 2003 20:03:08 +0100
Subject: [Full-Disclosure] anonymizer.com doesn't use ssl on target website
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The member service of anonymizer.com may encrypt traffic between
the client-browser and anonymizer.com-proxy using SSL, but whenever
you click on a SSL-link (say <a href="https://target.com">)
anonymizer translates that into a non-ssl link of the same address
(say http://target.com).
This results in unencrypted, spoofable traffic between the anonymizer-
proxy and the target website. As the contact with an ssl-encrypted
target-website does certainly contain sensitive information (why
should it be SSL-encrypted otherwise?), it's probably not a good
idea to use the member services of anonymizer.com IMO - at least
not on SSL-target-sites.
Vendor-support was contacted, but first ignored the impact of that
programming error
"That's fine... our service keeps your connection secure."
and then did not answer to the second email within five days.
That might be an indication that anonymizer.com is not very
security-oriented in other aspects also. (?)
Greetingz
Ka
- --
Want hear Ancient Music In The Pines?
Must find remote. Must change channel.
http://www.khidr.net/users/ka/pgpkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+UoN872vu22ltWBERAjzvAJ9oTllhK6X2m6oX0v1Z7gUsleMk6wCeJpYd
JC9QQZ85HQ7q4aEmNG8moLY=
=Hy3t
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
