The Secret Service - Server - SafeWeb.com masks Internet identity

Brandweek, Jan 1, 2001 by Jennifer Tanaka

SafeWeb.com's ad-supported technology helps Internet users protect their identities online.

We have hackers to thank for SafeWeb.com, a recently launched Web-based service site that allows users to surf the Web anonymously, without the prying eyes of in-house IT departments, ad-serving profilers or anyone interested in snooping at every click.

As SafeWeb CEO Stephen Hsu tells it, he was a physics professor at Yale when the idea for his company struck him in 1998. He and one of his students were responsible for protecting the Yale physics department computer network from hacker attacks. Each time Hsu would nab one of a series of teenage hackers, he would discover that they had installed a prefabricated "packet sniffer" program on one of his department's many servers. These packets allow would-be eavesdroppers to watch and record the traffic that flows by--from private e-mail to clicks during Web sessions. "That opened our eyes," says Hsu, now a professor at the University of Oregon, in Eugene. "We didn't realize how easy it was for one person on a single machine to monitor everyone else on the network. That really motivated us to design an Internet architecture that would fix this problem."

Two years later, SafeWeb was born. The heart of its technology is software that allows the SafeWeb servers to act as a privacy gateway between a PC and any Web site that a user visits. After a minimal configuration process, a user's browser will bear a new SafeWeb URL bar. The reconfigured browser will now create an encrypted channel of information, even as it flows through a company's network or a consumer's own personal ISP. Now, when a user surfs the Net, SafeWeb mediates every Web page request, every click of the mouse, every keystroke that's typed into a Web-based e-mail site. "Say you go to Hotmail. Your browser thinks that our server is the Hotmail server. And the Hotmail server thinks that we are you," explains Hsu. "So we're the middleman." In that way, SafeWeb masks the identity of a given PC. Previously, Hotmail, or any other Web site, would register a PC's unique IP address each time a site was visited. With SafeWeb, Hotmail only sees the IP address of the SafeWeb server. Anyone between a PC and the SafeWeb servers--say, a company's IT department, an ISP, or even hackers--gathers only a garbled stream of information. Decryption happens in two locations: at a user's desk and on the SafeWeb servers. Think of it as a kind of data laundering.

The secret to SafeWeb's anonymizing technology is the SSL (secure sockets layer) encryption that comes standard in current versions of Microsoft's Internet Explorer and the Netscape browser. SSL is commonly used for the final clicks in an e-commerce or banking transaction--the part when a user sends sensitive personal information such as a credit card number to a Web site. "We realized that this state-of-the-art encryption can work for all your traffic, not just the information you send to Amazon," Hsu says. When using the SafeWeb-enabled browser, a gold key icon appears in the lower right-hand corner of the window, telling you that the browser has activated encryption. SafeWeb's proprietary contribution is a universal SSL server.

Today, when a shopper uses Amazon.com, the SSL portion of the transaction is diverted to an SSL server, processed and then kicked back to Amazon's regular, un-secure e-commerce servers. What SafeWeb provides is an SSL server for any and every Web site you might visit. "SafeWeb is like your butler," says Hsu. "We go get The New York Times, say, grab the content, encrypt it and give it to you." When the newspaper lands on your browser, the browser software itself contains an SSL engine that decrypts the information and then presents the Web page in a readable format.

Sounds simple but it's not. The tricky part, explains Hsu, is making sure that every information request made by a Web page is routed through SafeWeb's secure servers. Underlying every Web page are thousand of lines of HTML code. Each line of code can refer your browser to content that resides on remote servers that can by physically located and owned by a multitude of people and companies. For example, the graphics that appear on a Web page might be accessed from a server located in a different office from a site's main server pool. Banner ads are typically pulled across the Web from centralized servers in cities across the nation. As your browser unravels a Web page's HTML, it tries to make contact with all these remote servers. "If somebody's watching me, they could see all these packets coming in and out of my machine," says Hsu. "All those connections are visible to whomever is spying on you, or it's logged in a firewall log." To ensure that the entire Web surfing experience is encrypted, SafeWeb's soft ware scans all the code underlying a Web page and rewrites it so that all connections to external servers also get routed through SafeWeb. These tiny tweaks to a Web page's HTML happen in real time, in hundreds of milliseconds. To a user's eye, the page that appears in his browser looks like The New York Times, but it's been cleaned up, quickly and invisibly, by SafeWeb.