Security holes found in popular privacy program; company offers reward to finder

WASHINGTON (AP) _ A popular Internet privacy service that lets Web surfers visit sites anonymously has fixed several serious flaws, and now the service's founder is offering a reward to the finder

Tuesday, May 21st 2002, 12:00 am

By: News On 6

WASHINGTON (AP) _ A popular Internet privacy service that lets Web surfers visit sites anonymously has fixed several serious flaws, and now the service's founder is offering a reward to the finder of the bugs.

Bennett Haselton, an Internet filtering activist who runs the Peacefire Web site, found the problems with Anonymizer.com, a five-year-old service that shields users from tracking by Web sites and their Internet providers.

Haselton ``came up with a new way of exploiting (Web) standards,'' Anonymizer president Lance Cottrell explained Monday. ``They're pretty subtle.''

Many major commercial sites cringe when security researchers find a hole. But Anonymizer actually encourages it through a ``bug bounty.''

Haselton's reward: three free years of the Anonymizer service, which costs $50 a year. Cottrell said the offer stands for anyone else who can find security holes in the service.

``We are always actively soliciting people to attack it,'' Cottrell said. ``Trying to hide and keeping your head down is always the wrong answer.''

Ordinarily, Web sites collect lots of information about visitors, including the Internet address that can lead to a visitor's geographic location, as well as shopping habits and previous Web travels.

Anonymizer keeps the visitor's information secret by standing between the customer's Web browser and the desired Web site.

Customers can use Anonymizer through the company's Web site or with a downloadable program. The service allows Web users to keep personal information away from marketing sites, or to keep their bosses from seeing their Web surfing at work.

For example, a person could use Anonymizer's service to visit the FBI's tip site and offer information truly anonymously.

The methods Haselton developed, though, could be used on a Web site to determine where the visitor is really coming from and negate the effectiveness of Anonymizer.

Independent researchers who find security holes frequently get a cold reception from Web sites. Internet companies complain that the researchers are more interested in notoriety _ the rush to release their find _ than customer safety.

The battle between the two sides has prompted several security firms, along with Microsoft Corp., to advocate limited disclosure of security holes. This has brought even more controversy among security experts.

Cottrell said his company doesn't know of any Web sites that used Haselton's methods to defeat the privacy program.

``Our customers are very open with us,'' Cottrell said. ``I'm sure we would have heard about it.''