March 02, 2004

Constrained by Others' Shortcuts

Last year, Vivek Pai and some of my other colleagues at Princeton wrote an interesting paper called "The Dark Side of the Web: An Open Proxy's View", describing what happened when they deployed a large web proxy service. This useful and well-intentioned service was quickly discovered and used by a surprising variety of scammers and parasites who wanted to hide their activities.

A web proxy, of course, is a network service that acts as an intermediary for web requests. It receives a request from a browser, and passes that request on to the destination server; when the server replies, the proxy passes the reply back to the original requester. The authors' system, called CoDeeN, teamed up a large number of machines, scattered around the net, to act like a single mega-proxy. This is useful in various ways to web surfers.

It's also useful to the bad guys, since it puts an innocent intermediary between a malicious web user and the sites with which he interacts. Some the bad guys started using CoDeeN, which then allowed the CoDeeN team to see what the bad guys are up to. The list of attacks is surprisingly long and makes interesting reading.

Another lesson of the paper is that a surprising number of sites use a requester's IP address to authenticate the requester's identity or affiliation, or to blacklist bad actors. This is not a good practice, but it's surprisingly widespread. And it's a problem for web proxies, since requests that are funneled through a proxy seem to come from the proxy's IP address rather than that of the original requester. If the proxy is, say, within Princeton's IP address range, then anybody making a request through the proxy might (mistakenly) be assumed to be affiliated with Princeton. Or if a malicious request is funneled through the proxy, the targeted site might put the proxy's IP address onto a blacklist of "bad addresses", which would block access to the target site by the proxy's legitimate users.

Even though sites aren't supposed to be using IP addresses for authentication, many do; and the design of CoDeeN had to be changed to accomodate these other sites' bad practice. This sort of thing happens all the time in security: somebody's lazy decision makes it harder for somebody else to innovate later, because innovation tends to upset the fragile assumptions used by earlier developers.

Posted by Ed Felten at March 2, 2004 04:24 PM