Wikipedia

SafeWeb

SafeWeb, Inc.
Company typePrivate (acquired)
IndustryInternet security, privacy technology
Founded2000
FoundersStephen Hsu, Jon Chun, James Hormuzdiar
Defunct2003
FateAcquired by Symantec Corporation
HeadquartersEmeryville, California, United States
Key people
Stephen Hsu (co-founder, CEO 2000–01), Jon Chun (co-founder, president; CEO 2002–03)
ProductsSafeWeb anonymizer, TriangleBoy, SEA Tsunami SSL VPN appliance
ParentSymantec Corporation (from 2003)

SafeWeb, Inc. was an American internet privacy and computer security company based in Emeryville, California, that operated from 2000 to 2003. SafeWeb ran a free web anonymization service and built TriangleBoy, a censorship circumvention tool funded by the CIA's In-Q-Tel. After the free service shut down in late 2001, the company pivoted to SSL VPN appliances.[1][2] Symantec acquired SafeWeb for $26 million in cash in October 2003.[3]

History

[edit]

Founding

[edit]

SafeWeb was co-founded by Stephen Hsu, Jon Chun, and James Hormuzdiar.[4][5] Hsu was a theoretical physicist on leave from the University of Oregon. The company was incorporated in Delaware and headquartered in Emeryville, California.[6]

Consumer anonymizer service

[edit]

SafeWeb launched a free web-based anonymization service in October 2000 that used 128-bit SSL encryption to allow users to browse the internet without revealing their IP address or browsing activity.[7] Users visited SafeWeb's website and entered a URL to browse anonymously through an encrypted proxy; no client software was required.[7]

The service became popular with users in countries with internet censorship, including China, Iran, and Saudi Arabia.[8] Human rights workers in Central America reportedly used the service to send coded reports to their headquarters in the United States, and medical students in Arab countries used it to access medical websites that had been blocked after being misclassified as pornographic.[8] At its peak, tens of thousands of daily users came from Saudi Arabia alone, until the Saudi government blocked access.[8]

In-Q-Tel investment

[edit]

On November 30, 2000, In-Q-Tel signed a licensing agreement with SafeWeb to develop internet privacy and security technology based on SafeWeb's PrivacyMatrix system.[4] The deal, publicly announced on February 14, 2001, was structured as a licensing agreement with warrants rather than a direct equity investment.[4] In-Q-Tel put in approximately $1 million.[1]

In-Q-Tel CEO Gilman Louie described SafeWeb's technology as "an innovative approach to address problems of information security."[4] Jon Chun stated that In-Q-Tel's review process "far exceeds those of the ordinary enterprise client" and called the partnership "a very significant seal of approval."[9]

CNN, Computerworld, and The Register reported on the investment.[2][10] The CIA said it would use the technology primarily to protect the anonymity of its own employees, though In-Q-Tel did not deny other possible intelligence applications.[1]

Triangle Boy and censorship circumvention

[edit]

SafeWeb developed TriangleBoy, a software tool designed to circumvent internet censorship by governments.[6] The software enabled volunteers worldwide to turn their personal computers into proxy relays for SafeWeb's anonymization service. Users' requests passed through these third-party computers so that SafeWeb's own server IP addresses stayed hidden from national firewalls.[6][8]

In-Q-Tel funded the development of Triangle Boy, and the Broadcasting Board of Governors (BBG) provided funding to SafeWeb to set up proxy servers specifically to help Chinese internet users access Voice of America and Radio Free Asia websites, which were regularly blocked by the Chinese government.[11][12] Voice of America operated a pilot project with SafeWeb using 12 dedicated machines running Triangle Boy software.[13]

In January 2002, Stephen Hsu testified before the U.S.-China Economic and Security Review Commission about SafeWeb's censorship circumvention efforts.[14] Hsu had previously presented Triangle Boy at DEF CON 9 in July 2001 in Las Vegas, in a talk titled "SafeWeb's Triangle Boy: IP Spoofing and Strong Encryption in Service of a Free Internet."[15]

The Chinese government responded by blocking SafeWeb's servers, in what Voice of America described as a "cat-and-mouse game."[8] Clayton, Murdoch, and Watson (2006) described Triangle Boy as an early anti-censorship technique that used distributed proxies to evade IP-based blocking.[16]

Pivot to enterprise security

[edit]

In November 2001, SafeWeb shut down its free anonymous browsing service.[17] The company cited the high cost of bandwidth, a lack of advertising revenue, and the economic downturn following the dot-com bubble collapse and September 11 attacks as reasons for the shutdown.[17]

In January 2002, Jon Chun became CEO, having served as president since the company's founding.[9][18] SafeWeb pivoted to the enterprise security market with the Secure Extranet Appliance (SEA) Tsunami, a rack-mounted hardware appliance that provided secure remote access over the internet using SSL/TLS encryption built into standard web browsers.[3] Users did not need to install VPN client software, making it cheaper and simpler to deploy than traditional IPsec VPNs.[3][19]

Acquisition by Symantec

[edit]

On October 15, 2003, Symantec acquired SafeWeb for $26 million in cash.[3][20] The acquisition was part of a wave of consolidation in the SSL VPN market: NetScreen Technologies acquired Neoteris for $265 million earlier that same month, and F5 Networks purchased uRoam for $25 million in July 2003.[3]

Analyst firm Infonetics Research projected the SSL VPN market would exceed $600 million by 2006.[3]

NetScreen Technologies had previously turned to SafeWeb in 2002 for OEM SSL VPN technology before ultimately choosing to acquire Neoteris instead.[21] Symantec senior director of product management Barry Cioe described SafeWeb as "the perfect fit for a security technology acquisition."[22]

Symantec launched the Symantec Clientless VPN Gateway 4400 series in the first quarter of 2004, based on SafeWeb's technology, with prices starting at $9,495.[23] Symantec subsequently integrated the SSL VPN capabilities into its Symantec Gateway Security appliance product line.[3]

SafeWeb's technology continued through multiple corporate transitions. Symantec's enterprise security division, including former SafeWeb intellectual property, was acquired by Broadcom Inc. in 2019.[24]

Technology

[edit]

Anonymizing proxy

[edit]

SafeWeb's consumer anonymization service used 128-bit SSL encryption to create an encrypted tunnel between the user's browser and SafeWeb's proxy servers. The proxy intercepted all HTTP requests, fetched pages on the user's behalf, and rewrote embedded links so that subsequent requests continued to route through SafeWeb.[25] The service disabled cookies and scripts and hid the user's IP address.[10] SafeWeb's underlying PrivacyMatrix technology was evaluated by In-Q-Tel as meeting the CIA's security requirements.[4]

Triangle Boy

[edit]

Triangle Boy used a distributed network of volunteer relay computers to obscure SafeWeb's server IP addresses from censors.[6] When a user in a censored country connected to a random volunteer relay, the relay forwarded the request to SafeWeb's encrypted servers, which returned the content directly to the user while masquerading the traffic as originating from the relay node.[6][13] Clayton, Murdoch, and Watson (2006) described Triangle Boy as an early example of using distributed proxies to evade national firewalls.[16]

SEA Tsunami SSL VPN appliance

[edit]

The Secure Extranet Appliance (SEA) Tsunami was a 1U rack-mounted appliance running a hardened Linux operating system that provided "clientless" SSL VPN access through standard web browsers.[19][26] The appliance supported web-based reverse proxy access, port forwarding for TCP/IP applications, and integration with LDAP directory services for authentication.[5][19] The U.S. Naval Medical Information Management Center selected SafeWeb's Tsunami SSL VPN for secure remote access.[27]

Security analysis

[edit]

In August 2002, researchers David Martin of Boston University and Andrew Schulman of the Privacy Foundation presented a paper at the USENIX Security Symposium titled "Deanonymizing Users of the SafeWeb Anonymizing Service."[25] The paper documented vulnerabilities in SafeWeb's proxy architecture that could allow malicious websites to extract users' real IP addresses. By the time the paper was published, SafeWeb had already shut down its consumer anonymization service in November 2001. The vulnerabilities illustrated a broader limitation of single-hop proxy architectures compared to multi-hop systems like Tor, which were then under development.[25]

Patents

[edit]

SafeWeb's technology resulted in multiple patents subsequently assigned to Symantec Corporation:

  • U.S. Patent 7,730,528 B2, "Intelligent secure data manipulation apparatus and method" (inventors: Jon Andre Chun, Stephen Dao Hui Hsu, James Noshir Hormuzdiar; filed September 19, 2001; granted June 1, 2010)[5]
  • U.S. Patent 8,065,520, "Method and apparatus for encrypted communications to a secure server"[28]

See also

[edit]

References

[edit]
  1. ^ a b c "CIA-backed venture eyes anonymity software." Computerworld, February 15, 2001. https://www.computerworld.com/article/2800101/cia-backed-venture-eyes-anonymity-software.html
  2. ^ a b "CIA-backed venture eyes anonymity software." CNN, February 15, 2001. http://edition.cnn.com/2001/TECH/internet/02/15/anonymity.software.idg/
  3. ^ a b c d e f g "Symantec snaffles Safeweb." The Register, October 21, 2003. https://www.theregister.com/2003/10/21/symantec_snaffles_safeweb/
  4. ^ a b c d e "In-Q-Tel Commissions SafeWeb for Internet Privacy Technology." In-Q-Tel, February 14, 2001. https://www.iqt.org/library/in-q-tel-commissions-safeweb-for-internet-privacy-technology
  5. ^ a b c US Patent 7,730,528 — "Intelligent secure data manipulation apparatus and method." Google Patents. https://patents.google.com/patent/US7730528B2/en
  6. ^ a b c d e "Triangle Boy Howdy." Reason, March 1, 2002. https://reason.com/2002/03/01/triangle-boy-howdy-2/
  7. ^ a b "Privacy companies aim to keep the Net anonymous." Computerworld, March 13, 2001. https://www.computerworld.com/article/1569948/privacy-companies-aim-to-keep-the-net-anonymous.html
  8. ^ a b c d e "Travelling the Internet Invisibly." Voice of America, May 30, 2001. https://www.voanews.com/a/a-13-a-2001-05-30-2-travelling-66952532/377992.html
  9. ^ a b "Study: CIA's In-Q-Tel 'worth the risk'." Computerworld, August 7, 2001. https://www.computerworld.com/article/1340196/study-cia-s-in-q-tel-worth-the-risk.html
  10. ^ a b "Total Web anonymity for you, and the CIA." The Register, February 13, 2001. https://www.theregister.com/2001/02/13/total_web_anonymity_for_you/
  11. ^ "Free Web elusive in China / CIA backs firm helping surfers to buck censors." San Francisco Chronicle, 2001. https://www.sfchronicle.com/news/article/free-web-elusive-in-china-cia-backs-firm-2878976.php
  12. ^ "SafeWeb's Triangle Boy enters CIA civil service." LinuxSecurity, 2001. https://linuxsecurity.com/news/privacy/safewebs-triangle-boy-enters-cia-civil-service
  13. ^ a b "Caltech News, v. 36:1, 2002." California Institute of Technology, 2002. https://campuspubs.library.caltech.edu/2177
  14. ^ "Hearing Transcript, January 18, 2002." U.S.-China Economic and Security Review Commission, January 18, 2002. https://www.uscc.gov/sites/default/files/transcripts/1.18.02HT.pdf
  15. ^ "DEF CON 9 Archive." DEF CON, 2001. https://defcon.org/html/links/dc-archives/dc-9-archive.html
  16. ^ a b Clayton, Richard; Murdoch, Steven J.; Watson, Robert N. M. "Ignoring the Great Firewall of China." 2006. https://murdoch.is/papers/is07ignoring.pdf
  17. ^ a b "SafeWeb shuts CIA-backed anonymous Web service." The Globe and Mail, November 20, 2001. https://www.theglobeandmail.com/technology/safeweb-shuts-cia-backed-anonymous-web-service/article1187034/
  18. ^ "Symantec purchases SSL VPN maker SafeWeb." InfoWorld, October 20, 2003. https://www.infoworld.com/article/2235114/symantec-purchases-ssl-vpn-maker-safeweb-2.html
  19. ^ a b c "The SSL Alternative." Network Computing, 2003. https://www.networkcomputing.com/network-security/the-ssl-alternative
  20. ^ "Symantec Corporation Form 10-K (Annual Report)." U.S. Securities and Exchange Commission, 2004. https://www.sec.gov/Archives/edgar/data/849399/000095013404008785/f99544e10vk.htm
  21. ^ "NetScreen turns to SafeWeb for SSL VPNs." The Register, December 10, 2002. https://www.theregister.com/2002/12/10/netscreen_turns_to_safeweb/
  22. ^ "Symantec Acquires SafeWeb for SSL-VPN Technology." TechNewsWorld, October 21, 2003. https://www.technewsworld.com/story/symantec-acquires-safeweb-for-ssl-vpn-technology-31912.html
  23. ^ "Symantec Launches Clientless VPN Gateway Line." Network Computing, 2004. https://www.networkcomputing.com/network-security/symantec-launches-clientless-vpn-gateway-line
  24. ^ "Broadcom Completes Acquisition of Symantec Enterprise Security Business." Broadcom Inc., November 4, 2019. https://investors.broadcom.com/news-releases/news-release-details/broadcom-completes-acquisition-symantec-enterprise-security
  25. ^ a b c Martin, David; Schulman, Andrew. "Deanonymizing Users of the SafeWeb Anonymizing Service." 11th USENIX Security Symposium, August 2002. https://www.usenix.org/events/sec02/full_papers/martin/martin.pdf
  26. ^ "SafeWeb gives access to all areas." Network World, 2003. https://www.networkworld.com/article/888526/lan-wan-safeweb-gives-access-to-all-areas.html
  27. ^ "Security without the sweat." Nextgov, July 2003. https://www.nextgov.com/digital-government/2003/07/security-without-the-sweat/225498/
  28. ^ US Patent 8,065,520 — "Method and apparatus for encrypted communications to a secure server." Google Patents. https://patents.google.com/patent/US8065520B2/en