In this post from early 2008 I talked about a technique for detecting what sites you had visited. Almost 3 years later about 66% of users are still vulnerable to this attack according to a study (paper here) from the University of California, San Diego published in October 2010.

This study further showed that this vulnerability is being widely and actively exploited. Of the top 50,000 sites (based on Alexa ranking) 485 access information that could be used to discover browser history and 46 were confirmed to be actually performing this attack. One of those 46 was in the top 100 websites on the Internet (youporn.com).

On December 2, 2010 two Californians filed suit against youporn.com alleging that they are using this technology to exploit a browser vulnerability to gather private data without disclosing that they were doing so. They are seeking class action status for this suit.

If this succeeds it would set an interesting precedent and open a new path to enforcing privacy rights in the absence of specific legislation.

This article on TechCrunch reports on a new FireFox plugin called Firesheep that automates the process of taking over another user’s Facebook session.

This is really just an automation of something we demonstrated in the Anonymizer Labs section of our website a while back.

The EFF has an excellent article on eight reasons why government regulation of cryptography is a bad idea.

The short answer is: the bad guys can easily get it and use it anyway, and it will make security for the rest of us much worse (not including the big brother surveillance  and constitutional issues).

This NYTimes article discusses a bill which the Obama administration is proposing to submit to congress. The general background of the bill is that evolving technology has made it more difficult for law enforcement to conduct effective wiretaps and other intercepts because much of the targeted communication now takes place on the Internet and is often encrypted.

The actual text of the proposed bill does not appear to be available, but the article lists the following likely requirements.

1. Communications services that encrypt messages must have a way to unscramble them.
2. Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
3. Developers of software that enables peer-to-peer communication must redesign their service to allow interception.

The first of these is similar to the CALEA law which requires telecommunications carriers to design their services to enable automated real time intercepts. While this generally sounds reasonable when “we” say it, the idea is more ominous when coming from some other governments.

The second of these feels uncomfortably familiar. See my past blog posts (and here)on the attempts of privacy hostile countries to require similar concessions from RIM.

The third proposal is completely outrageous. In effect it says that I may not speak in a way which is unintelligible to the wire tappers. As a colleague quipped “I am hiring Navajo code talkers.” This would require a back door be inserted in to cryptography tools. Experience shows that any crypto system with such a back door will be breached and then left vulnerable to the enormous number of criminal hackers on the Internet today.

In 1993 the US Government proposed a system called the “Clipper Chip” which would provide all encryption for personal computers, but to which the US Government would have back door access. This was a terrible idea then, it was widely ridiculed, and suffered a well justified death by 1996. This third proposal would be much worse. It is asking huge numbers of non-crypto experts to build back doors in to their systems. Frankly, the cryptography in most software is already badly broken in many cases. Something as subtle and complex as a secure and effective law enforcement back door would be far beyond their abilities and render currently poor security completely untrustworthy.

All this is not to mention the potential abuse by oppressive regimes, who will pounce on the capability to further crush dissent within their countries. Finally, it will be largely ineffective against serious threats. Very strong and easy to use cryptography is already available world wide, for free (GPG, ZPhone, TrueCrypt, etc.). This is a classic case of damaging the innocent while leaving the guilty and dangerous unaffected.

It seems to me that there is a pendulum swing to these things. Technology cuts both ways. Some times it favors the interceptor and some times it favors the communicator. In most ways the Internet has been a fantastic boon to law enforcement. Cloud computing, email hosts, social networking, open WiFi, and huge hard drive that encourage people to save everything all provide law enforcement with enormous amounts of information they could never have collected in the past.

It may not be shocking to anyone that there is no federal push to make that more difficult to access while pushing to enhance their ability to intercept encrypted communications.

All this is argument about a bill we have not seen yet. Let us hope that the furor that has swirled around it will cause it to be retraced or modified significantly before it is actually delivered to congress.

Jillian C. York » Haystack and Media Irresponsibility

I have been reading about this “Haystack” anti-censorship tool for a while, but have withheld comment up to now. The above linked article seems to justify my reticence.

This tool has been a media darling, hyped in many different publications, but try as I might I have never been able to find out any solid information about what it actually does. Just a lot of marketing hype.

It now looks like the system was well intentioned snake oil. I still have not seen it, so this is all hearsay. Unfortunately it can be very difficult for the average person to tell the difference. One thing to look for is transparency in security systems. No security system should rely on assuming the enemy will not work out how it operates. It absolutely must be secure even if the opponent knows everything.

Other good signs are the experience and reputation of the author, the length of time the tool has been in use, and published analysis by other independent security experts.

As it turns out, media hype has a very poor correlation with real security.