Public Notice - How to hack SAFE Browser Plugin users

The SAFE Browser Plugin currently does not secure your browsing session, and you are easily de-anonymized.

The way the browser plugin works is by redirecting all network requests to urls with “.safenet” in them, to the local port on your computer where the SAFE Launcher is running. This is extraordinarily insecure, and your web traffic can easily be compromised by using it.

The insecurity of the plugin is the downloaded proxy rules from the .pac file. The URL you added to your browser told it to download a list of rules that controls where your internet traffic goes. If an attacker wanted to read all of your internet traffic, they can intercept you downloading this .pac file, and replace it with their own proxy rules, making all of your page/image/file requests go through them.

Furthermore, the browser plugin does nothing to prevent clearnet traffic requests. If you’re on a *.safenet website, your browser will still download any images hosted on the regular web (the clearnet).

Firefox’s developer tools showing that even when you go to a .safenet URL, your browser is still downloading and mixing SAFEweb content with clearweb content.

918×318 244 KB

But not just images, your browser will also download and run javascript files, stylesheets, and all other web resources.

And as the show stopper, google analytics tracking code is still run on safenet websites. Just include their code on your webpage, and anyone visiting your site will run it automatically. Several people are doing this to you right now on their own safesites.

Because of these issues, you are now uniquely identified as a SAFE user, and can be individually targeted as such.

I’ve written a simple guide the patching the SAFE Browser Plugin security hole. It eliminates the risk of a middleman attack, and stops the invasive clearnet downloading. So check that out if you want to protect yourself.

This is a community outreach and educational post, SAFE is still in alpha and I’m listing some of its alpha-version limitations.

Fantastic post!

I recommend using chrome/chromium in private mode, and do this technique. Use firefox/iceweasel for regular browsing. Or visa versa. Nobody should be using safenet and clearnet at the same time! Tor and I2P warned users millions of times. This is no exception. Lastly, make sure cookies, history, everything is cleared once you’re done with safenet.

This way you’re more “safe”.

Done. Thanks for the advice and excellent step by step. Safenet…unbeatable.

Thank you!

I recommend against using chrome. It has a verrry nasty habit of automatically enrolling you into their “login to your browser and have all your favorites/bookmarks/browsing history/passwords follow you!”. That of course means they’re uploading your passwords to their servers

I’d like anyone who uses the google chrome browser to follow these steps to view your saved passwords and to triple-check that it’s not uploading them all to google.

I’m very happy to hear I wrote it well enough so that it was so easy

Its this sort of thing that makes security and privacy hard. I understand this is a test but for folks like me, I just want to be able to download, run and use something without having to jump through hoops (that I’m not even that good at jumping over) in order to retain my security and privacy. I hope one day I can just download a SAFE launcher, browse the network, upload, download, farm etc. without having to have a degree in data security._ A browser would be easiest for this sort of thing_. Whoops I take that back…

Your instructions were so beautifully written. Clear, to the point, and not very technical. This style of tutorial presentation has a wider reach than super techno babel. I understand that some literature can’t sacrifice certain technical details, but others sometime seem forced as if engaging in intellectual masturbation. I did stupid shit like that when I was a kid. I’m so happy I got over that nonsense. Thank you for reminding me of the beauty of not being pretentious and pointlessly formal.

You hit the nail on the head.

I hope SAFE gets there some day, and I know it will, because David talked specifically about having the launcher as 1,2,3, you’re in. But currently there are limitations, and I think for users like you who want that abstraction, you deserve a clear notice when the launcher starts of its capabilities.

You know how to make a grown man blush.

Are there any other tutorials or information guides you wanted for SAFE? I quite enjoy spending time on it.

Very good tips and well written, thanks.

Do you recommend any firefox plugins to easily handle the back and forth between the safenet and clearnet?

A tutorial for site publishing would be nice. At least one user was confused as to how to do it properly. One too many in my book.

It should also inform the reader that if they previously created an account with the same public ID as their current one, they will not be able to publish their site. They must create a new account with a different public ID.

This was an issue for me and at least one other. Keep an eye on the forum and I’m sure you’ll find more ideas to help people. Thanks for being so helpful and part of the community!

I love FoxyProxy for Firefox, it looks frightening but has great features.

That’s a great idea too! User-friendly guides could help grow the community and show how easy it is to setup their own SAFEsite for free

I’ll keep a lookout! Cheers!

Uhm, it’s a rehash of this discussion from a day ago:

Edit: you misunderstand the proxy function and rules.
The Web isn’t supposed to be browsed through the proxy - that remains unchanged (and so your fix doesn’t really fix anything).
The danger is that one’s proxy server could be replaced without him knowing.

This isn’t a rehash, the thread you quoted doensn’t explain all the issues. It’s not a matter of just a man in the middle attack. It’s the reality that a lot of users don’t realize there are currently safenet websites with generic tracking code and targeting pixels that are right now correlating them with their SAFE browsing.

I made the dangers very clear in the screenshots of before and after patching the proxy settings. All of those youtube requests are logging IP address, are you currently logged in to youtube, where is the video embedded (a safenet website!), and all tracking cookies you have from the google content network.

The threat is more serious than mentioned because I showed it’s currently being done, and that there are currently several safe sites where the uploader inserted google analytics tracking code and can see community member’s geographic locations, device information, browsing patterns…

go to http://prueba.piluso.safenet/ if it shows your IP, it is not fixed.

It’s a rehash of that and another post. Does this sound familiar?

So, by making a connection to the SafeNet test servers and being in this Web site your have ID’d yourself as a SafeNet user.
Anyone who’s made a connection to the visualizer host made it to the list of SafeNet users that is maintained by your friendly government officials,

It is true that you can get further ID’d, down to the (un)SAFE site level, if you go to a site that forces you to make a request to clearnet, but in places where this matters visiting any SAFE site will get you in trouble. But that too was discussed, and a workaround provided, in the second link I post here.

Perhaps they have that list, but who cares, all your traffic will hopefully go dark anyway once the launcher goes to release. They know you use Tor too, but so what. Once the move from clearnet to cryptonet happens, it’s all a gray fog.

Go to http://prueba.piluso.safenet/ if it shows your IP, it is not fixed.

Arghhh, so many security experts, so little time!

Of course it shows your IP because you visited the freaking site.

The “proxy everything to SAFE launcher” setting, if applied, makes it impossible to visit the Internet - it doesn’t make SAFE act as your proxy ( if it did, you wouldn’t be safe anyway, because it’d be a one hop proxy; unlike the dreaded Tor).

Blocking yourself off the Internet is a poor man’s approach.
We’re back to square one: basically one has to be very careful which SAFE sites he visits, because JavaScript and Flash and other gizmos can harbor attack code. That was never in doubt, of course.

Maybe it’d make some sense to use Tor Browser with a special rule for .safenet.
Being cut off from the rest of Internet doesn’t provide additional security because your connections are single-hop to Digital Ocean…

Hopefully no dissidents were harmed in testing of this MVP.

The SAFE Launcher is absolutely acting as a proxy, but that doesn’t mean it’s a VPN, which seems to be what you’re describing. It’s not encrypting or obfuscating it.

The point of proxying it through the launcher is because the launcher cannot route to the clearweb, it literally can’t find youtube.com.

It’s a hack to fix a major security threat that will probably be closed in the next release.

It’s acting as a proxy that doesn’t proxy clearweb. The rules say “proxy any .safenet traffic, and don’t proxy the rest”.

Close, what the patch is doing is saying “here route all this traffic”, and the launcher only knows how to route the .safenet URLs. It can not route the packets so their requests fail.

The distinction is astronomic between a * whitelist with one blacklisted type, and a * blacklist with a single whitelisted type.

The launcher isn’t saying “route all but deny this one”, it’s saying “route none but allow this one”.

Yes, I was talking about the SAFE Launcher as-is (provided by MaidSafe).
The changed approach cuts you off the Web as I observed earlier.

As I mentioned in the superlong topic about the beginning of this test, they didn’t organize this well and this confusion about which part does what and how has been more than evident.

That’s the worst part of it, that the gates were opened to all without clear instructions. Anyone who followed them (and the less technical users certainly used the default proxy settings) and setup a iwantdemocracyinX.safenet with some YouTube links could now be in trouble. And the fact that no such links were posted on the forum doesn’t mean that no such sites have been set up.

Another thing to point out is that this oversight, while most likely not deliberate, is a sign of things to come. It’s going to take a while (years?) until subtle security issues are understood (and of course they won’t be known immediately - I don’t expect governments to start competing for SAFE security bounties anytime soon).