Wednesday, April 4, 2001

Risks of using filtering proxies In RISKS-18.65 James Cameron wrote about the RISKS of using proxy-servers, as they 'may change your view of the Internet'. Some days ago I experienced something similar: filtering proxies changing the view of the Internet. One week ago I published a paper "Search Engines and Privacy" (http://www.franken.de/users/tentacle/papers/search-privacy.txt). It is a plain text ASCII file with some HTML tags included as examples. Some days later a friend of mine complained that something was wrong with the paper, he told me I had mentioned redirects where the quoted examples did not show any redirects at all. An HTML example which should have read was served to him as a link pointing to http://www.test.com. After some testing it became obvious that this was due to his filtering proxy, WebWasher Version 3.0 for Windows. One of the features of this proxy is changing redirected links (which e.g. AltaVista uses) to direct links. In this case this made the quote invalid, of course. This is expected behavior for a HTML file, but this is a plaintext file. It was found that the link rewriting goes along with WebWasher changing the content type from "text/plain" to "text/html". This causes an additional effect: the browser interprets the HTML tags contained within the textfile instead of displaying them. So far it seems that the content type is changed if the first line of the served document is shorter than three characters (my paper started with two empty lines). In this case the first line gets dropped. Both tested Windows versions (2.21 and 3.0) show this problem. The code maintainers were notified. Credits go to Jens Krabbenhoeft . The RISKS: While filtering proxies generally are of great benefit to privacy concerned users they may (caused by bugs) do more than you expect them to do. In this case: content rewriting regardless of host or content type and changing the content type of seemingly harmless textfiles to HTML (which makes browsers interpret them). Besides, this is a nice example for obscure bugs not showing up during regular testing. "We never experienced any bugs" does not mean that there are none. [Marc Roessler via risks-digest Volume 21, Issue 36] 0:00 # G!

Re: Dutch police fight cell theft ... (Dzubin, RISKS-21.32) >After a user reports his GMS handset stolen, [...] Uhhh...I'm not sure what GMS is in this context, but if it's a misspelling of "GSM", then I see a problem. In GSM, there is a separate SIM card in the handset which contains all of the subscriber's authentication/authorization information, and which is intentionally interchangeable between handsets (subject to some restrictions, but generally when switching between handsets supplied by the same service provider). If someone was trying to sell the _handset_, they could do so without including the SIM card--I've done this a couple of times as handset technology evolves over the years. The buyer provides their own smart card, and the telco doesn't even have to be informed that the sale took place for the handset to work for its new owner. Naive GSM users reading this article might attempt to send such messages to their own phone number if their handset is stolen. This won't work if the thief has any clue at all. Kids, don't try this at home. I suppose it is possible that the police may use the telco's resources to track the handset down by its IMEI or something--handsets, high-end accessories, even batteries these days have serial numbers embedded into them which are accessible from the handset firmware and can be interrogated from the telco (if not routinely broadcast while the handset is on). Zygo Blaxell (Laptop) [Zygo Blaxell via risks-digest Volume 21, Issue 34] 0:00 # G!