Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Effective Is SafeWeb?

Posted by Cliff on from the protecting-your-privacy-or-digital-snale-oil dept.

Microsift asks: "I just found this site a couple of days ago and it seems pretty cool. It claims that it encrypts everything that goes through your browser so that no one can tell who you are or what you are doing. Does this kind of technology work? Why isn't everyone using it?"

3 of 9 comments (clear)

  1. Just a proxy by bconway · · Score: 2

    After using it for a while, the speed became apparent that it's just a public proxy server for HTTP/FTP. Not a new idea by any means, but certainly a clever way of phrasing it. Unfortunately, it's extremely slooowwww.

    --
    Interested in open source engine management for your Subaru?
  2. Fairly good, but at least one major issue! by seaan · · Score: 3
    The website does not contain a lot of details, but the basic philosophy seems to be sound. Assuming they got the details correct (the methods of handling cookies, Java, JavaScript, etc.), they should be able to prevent many covert methods of identification.

    The major issue I have is that SafeWeb works as a SSL man-in-the-middle. This dramatically changes my scope of trust. At first you might think you just have to trust them to keep you anonymous. But this SSL issue means you also have to trust that they do not view or modify any SSL traffic from the target site. I'm not sure about how to still keep your location private, but I would much prefer some method of doing end-to-end encryption with the target site.

    Here are a few other thoughts about the technical details. One area of concern is how through are they about redirecting web requests, for example I was thinking this currently would not foil a web-bug. There is also little SafeWeb can do for you when you voluntarily breach your anonymous veil, except for the cookie management. Don't expect this site to work as a means of getting past censorware, because you can bet they will block it under every category!

    I wonder what type of servers they are using. Sounds like they need lots of SSL processing (fair disclosure, I've helped design commercial SSL Accelerators). That will probably make this website a bit more expensive to run. I also wonder about internal security, both because of the SSL issue, and the fact you would expect spies to be interested in knowing more about anyone who wants to be anonymous. In particular, obtaining the SafeWeb SSL private key could be potentially quite valuable.

    Finally, you should consider the trust and business models. As mentioned above, you have to trust SafeWeb, as a company, not to store or reveal your information. I'm a little cynical about advertising supported businesses, because I think they have lots of motivation to increase the amount of information they know about you. Still, their privacy statement as it stands now looks good. If you plan on using SafeWeb (for non-SSL transactions), I'd keep a careful eye on the privacy statement to make sure it remains good.

    1. Re:Fairly good, but at least one major issue! by torinth · · Score: 2

      Ok. When a co-employee of mine left for another gig, I had to do research into what they were doing in order to see if there were any possible intellectual property issues to be dealt with. He had left for a company much like SafeWeb, although I won't mention the name here.

      The basis idea is that thye act as a full-scale proxy for all your requests. That means that everything you do goes through them. And they are pretty thourough. every url gets changed on the pass through, if it's just going via a cgi-script, and then there are a few companies that actually act as right-out http-proxies.

      Anyway...

      Here are a few other thoughts about the technical details. One area of concern is how through are they about redirecting web requests, for example I was thinking this currently would not foil a web-bug.

      Yeah. they do actually. The web bug acts just like any other document being requested. The people who placed the web bug will only get SafeWeb's redirector machine ALOT. But not you.

      I wonder what type of servers they are using. Sounds like they need lots of SSL processing

      Yeah. you're definately right on that one. In fact, they need alot of processing just to reinterpret all the html data... It's a huge effort, and I'm not sure how SafeWeb is handling cost, but I find it very unlikely that it's a model that could possibly succeed using just ad revenue. It's really compute-intensive (and bandwidth-intensive) to have everyone's traffic run through and edited by your machines.

      That's all I've got for now. I'm sleepy. -Andrew