Public Notice - How to hack SAFE Browser Plugin users

I got confused by that behavior and assumed it was deliberate, I even asked @frabrunelle to put links on his web and safe sites (cloned) to compare in two tabs…I thought it was kind of cool, obviously not reading this.

ok, I double checked

using unconditionnal proxy rule with 127.0.0.1:8101 in icecat, whichever socks4 socks5,remote DNS or not,

the launcher DOES transmit HTTP requests to clear web.
HTTPS doesn’t go through in any case.

Well, simply speaking:

• Let’s say you work for some NGO that doesn’t have money for ridiculous amounts of bandwidth (assuming no mobile, etc.) so they tell all employess to set their browser to localhost:3128. Then there they create the following settings:
• Pass through all requests for Web sites on LAN
• Also allow access to all requests to .gov and .org sites
• Now you can access your local portal and some intranet Web site, you can also go to whitehouse.gov or someNgo.org, but you can’t go to facebook.com and x-videos.com. Great! For the organization, I mean.

What SAFE Launcher did was made this even more convenient.

Why is that bad? Well, for example, I create a cute Web site that references “stuff” from the Web. Now, because your proxy passes that stuff through, it gets fetched. A more sinister “application” is depicted below.

It’s easy to imagine how that would work at the NGO from the example above:

• you access whitehouse.gov
• whitehouse.gov has President’s tweets and FB posts, but
• since your admin blocked those, in place of that 3rd party content you’d see only empty space (like when you display ad-infested pages with AdBlock turned on).

But then the clueless users would complain to the boss and the boss would order the admin to unblock everything.
SAFE Launcher works that way, it makes things convenient, but it is precisely users of .safenet that may not want this kind of convenience. (But, as I said several times already, the fact that you access this forum, and that you downloaded the s/w, etc. was probably enough to put you on the metadata collecting list, so it’s not a huge deal in itself).

I’ll think we’ll see 2 options when using The SAFE Network.

Highly Secure

• Only trust the Apps and browser provided by Maidsafe and other open source providers.
• This user won’t be able to surf the “normal internet”. Browser fully sandboxed and only shows .safenet sites.

Less secure but more easy to use “Mixed Browsing”

• Use a plugin for you browser or use a browser that supports both the normal internet and .safenet sites.
• Use the Apps from Maidsafe and other open source providers

Like I said earlier, I don’t see a reason to use a dedicated browser just for safe, as long as the SAFE launcher doesn’t allow for interconnection with the clearnet. But there must be a reason for that, let’s see what they’ll say.

But if it doesn’t allow for the interconnection with the clearnet, what is that but a dedicated browser? You saw that people like “nice” above have helpful browser settings that fire up Google to help you automatically find the right link. So all it takes is one 404 link to refer you to Google.

Also you can’t run “virtual browser processes” on a “per tab” or “per window” basis.

I kind of understand the resistance to Tor (not invented here, SAFE is different, etc.), but let’s recall the current situation is a problem precisely because of this reason. Tor was suggested months ago by both me and Tonda and maybe other users as well. Instead of thinking “security first”, nebulous topics such as safe:// link tricks and what not were all the rage.

This is a rolling release, we have not put safecoin etc. in place or similar. So this is a test to show safe sites etc. work. Of course using mixed browsers/proxies will cause leaks just like smtp/safe messaging bridges will.

I am delighted to see the community seeing all this first hand. There is of course many easy ways to stop this and make sure when you are SAFE you are SAFE, but it will mean you are entirely in SAFE and not cross pollinating to other places. It’s all easy, but seeing bridges in action and discussing them is very good. If you remember a while back there were many requests to allow smtp/messaging links and that would be the same. So it’s great the discussion is happening.

In terms of us not allowing a browser in http or similar to be secure, then that’s outside out remit I feel. What we can do is allow folks secure data/communications/sites/uploads/downloads, but we cannot secure http or https snooping if folk choose that route. But that may be OK.

Like normal users will choose every route and loose some security in certain actions, like browsing. Some will choose the SAFE only browser and that choice should be theirs. Our job is to show all this and then make it abundantly clear what choice the user is making. In the case of browsers it may well be a bundled browser only for SAFE. We will see in the coming weeks and months. Main thing is even browsing can be secure. As for the other parts, it’s good to not confuse browsing with other SAFE activities like messaging / data storage etc. We will roll out new parts continually and as such we all get to see the choices and not a fait accompli.

The possibilities are all ours, the choices we will make will ensure folk know exactly what they get and involving the community at this stage is already proving critical. So all good I say

Awesome response. And I think the bundled safe browser idea is awesome but also leaving a choice for whichever browser as long as risks are clearly stated, that is informative enough yet able to connect with a laymen, will help them make the right choice. Having safe and the clearnet in the same environment is obviously not a great choice and I’ve never ever heard the team say that it would work. Constant discussion of bridges to the clear net always turned up fruitless. So I figured it wasn’t any showcasing of perfect security on the part of snooping etc. If this current ability is to stick around I could see people’s concerns but if there are disclaimers or warnings and better options such as a legit safe browser and people staying within the network then that’ll do for lil ol me

I think we’re misunderstanding each other here, let me try to clarify.

Right now the proxy from the SAFE launcher does allow connections to site that are hosted on the SAFE network AND to the clearnet. So if you load a *.safenet site which has http content embedded (google-analytics, vimeo, youtube, what have you), then this content will load the same way as if you wouldn’t use a proxy. Using the Tor browser won’t change that.

If the proxy is changed so it only allows connections to “sites” hosted on the SAFE network, then a typo like http://really.compromizing-stuff.safeney would just time out, because it is not reachable through. The same is true for embedded content, if the launcher only allows traffic via it’s proxy to the SAFE network, nothing from the clearnet will load.

@dirvine: I’m not sure I fully understand your answer to be honest

While I agree that the choice should be in the hand of the user, I’m not sure I understand your answer. Will the launcher always allow connections outside of the SAFE network, and if so, why?

That is, at least for me, the major concern. I don’t think it should be possible for people to use ANY kind of embedded content from the clearnet on SAFE site, like we’re seeing right now (analytics, youtube, google fonts, etc). So any insight would be really appreciated

The launcher don’t allow connection to the clearnet. Is your browser who does.

I disagree. The moment I manually set the proxy to localhost:8101 all traffic goes through that specific proxy. If you change the port from 8101 to 8102, nothing works anymore, because there is no proxy listening on that port.

My expectation would be that everything that comes through the proxy for the SAFE launcher on 8101 to the clearnet get’s blocked and only hosts that end with safenet are allowed.

I’m sounding like a broken record, but I really don’t understand the need to allow outside traffic and I’d like to get the point

The safe launcher could help. It could pass CSP headers in its HTTP responses to mitigate this. But that may not be enough. This is a test setup so I don’t think it’s a big deal though. But at a more production level, there are several correlation like deanonymization things that can be done. This becomes especially true when they share their browsers with their every day browsers which may have extensions doing all sorts of things. But taking the Tor browser like approach is also quite difficult because you have to maintain a fork.

I will say that I would avoid the surface area of a browser myself and make a safe app speaking to the safe launcher directly but this may dissuade less technical users who need the feel of the web

I feel the best solution is to kinda make their own browser UI on Electron/nw.js. It can have a custom protocol (e.g. http://electron.atom.io/docs/v0.36.8/api/protocol/), be very easy to embed the server side code that would be needed to communicate with safe APIs, disable many node APIs that are exposed (or have a popup asking the user to give permission to node APIs), and disable all HTTP/HTTPs traffic.

Let me grab my white cowboy hat real quick

I fully agree, and I know the devs are listening very intently to these kinds of concerns. A warning message with a list of current limitations would help to understand that it’s not a fully functional internally encrypted network yet.

Yes! So many google fonts, embedded audio/video. It’s kind of a real mess right now in terms of security and anonymity (expected somewhat in an alpha but your previous point shows that the communciation needs to be there).

My comments get missed a lot

Good but could be better. Not to belabor the point that others have tried to make but this “Public Notice” should have come from the Maidsafe team. I mean, I understand the pressure and excitement of releasing an MVP and missing some important details but most non regulars/non techies will not read this thread.

@Ross please clearly include warnings and disclaimers in future releases or even edit the current one to include a warnings section.

We need to feel safe soooo badly that we will fumble and put ourselves in more danger trying to grasp onto the hope that Maidsafe offers.

In that thread you mentioned this:

I think that would turn newcomers away. It’s very intimidating watching the installer download and put files all over your computer. Then for them to understand why they have to use that browser, and to learn to cope without their favorite X plugin, or Y capability. That is a huge potential barrier to entry.

I hadn’t seen your post that you linked, and you 100% foresaw this situation. I’d actually like to take a moment and say that I’ve now seen several forum members in old posts like yours mentioned these security holes, and they seemed to be discussed but never a solution implemented. Maybe we need better communication tools than this forum alone, to better work together for solutions.

First time I’ve seen this mentioned! That’s definitely happened to me and I know it’s happened to others as well. When you manually type in a url, but mispell it, and then your browser doesn’t know what you want so it sends the request to google who logs your request/IP and shows you a list of thing you might be looking for.

Several other people have asked about using foxyproxy as well, I might just take your advice and do a post about browsing safe using a custom firefox profile.

You already can help yourself though. Use a secure OS from a public hotspot, and run Tor through an anonymous VPN you bought with bitcoin.

I think if the goal is to help the “technically gifted”, then you resolve nothing. Telling your mother to live boot Tails, you’ve already lost her.

It doesn’t cheapen the network to provide a basic level of functionality for an increased level of privacy. Even if a SAFE browser was distributed with WebRTC still enabled, it’s a major step forward.

I’ve talked to several forum members who are having trouble understanding why SAFE isn’t fully protecting them yet. It’s a slow road of education, but to say “I’d rather see us first taking care of the security of the not-so-hopeless” doesn’t seem to align with the community values. In fact is sounds like a 1% vs 99% situation.

That’s a serious statement. So many of us are demanding our privacy back with such ferocity that we’re falling victim to ourselves.

Another thing to have in mind is that Safe Apps aren’t actually safe. Not in the common sense of the “safe” word. There’s no difference between the app you downloaded from an obscure website (“downloader.scr” from torrent sites) or a safe app in the launcher. It’s not because the site is using https that all apps there are safe to run. The same happens with safe apps. They still can access your webcam, local files, install a keylogger, a screenshoter, communicate using tcp/udp, and so on.

PS: I’m not criticizing SAFE - I believe it’s a wonderful technology that will free the society and boost software development in general. It’s 1M times better than the current technology. Also, it’s perfect the way it is. I just think it will be awful to people start to use it with a false sense of safety and get in troubles because of that (having their private stuff hijacked).

A man in the middle attack is extremely viable and easily done in minutes. It would have to be a targeted attack, but there are probably network intereceptions scripts that look for pac files and replaces their contents.

That doesn’t sound right. The launcher shouldn’t be able to route your http traffic at all. Make sure you checked both the “Use this proxy server for all protocols” and “Remote DNS” checkboxes like I showed in the patch.

Maybe the launcher can’t route DNS requests? So if you have youtube.com’s IP cached then the launcher can(?) route http traffic?