SafeWeb

Founding

SafeWeb was co-founded by Stephen Hsu, Jon Chun, and James Hormuzdiar.^[4][5] Hsu was a theoretical physicist on leave from the University of Oregon. The company was incorporated in Delaware and headquartered in Emeryville, California.^[6]

Consumer anonymizer service

SafeWeb launched a free web-based anonymization service in October 2000 that used 128-bit SSL encryption to allow users to browse the internet without revealing their IP address or browsing activity.^[7] Users visited SafeWeb's website and entered a URL to browse anonymously through an encrypted proxy; no client software was required.^[7]

The service became popular with users in countries with internet censorship, including China, Iran, and Saudi Arabia.^[8] Human rights workers in Central America reportedly used the service to send coded reports to their headquarters in the United States, and medical students in Arab countries used it to access medical websites that had been blocked after being misclassified as pornographic.^[8] At its peak, tens of thousands of daily users came from Saudi Arabia alone, until the Saudi government blocked access.^[8]

In-Q-Tel investment

On November 30, 2000, In-Q-Tel signed a licensing agreement with SafeWeb to develop internet privacy and security technology based on SafeWeb's PrivacyMatrix system.^[4] The deal, publicly announced on February 14, 2001, was structured as a licensing agreement with warrants rather than a direct equity investment.^[4] In-Q-Tel put in approximately $1 million.^[1]

In-Q-Tel CEO Gilman Louie described SafeWeb's technology as "an innovative approach to address problems of information security."^[4] Jon Chun stated that In-Q-Tel's review process "far exceeds those of the ordinary enterprise client" and called the partnership "a very significant seal of approval."^[9]

CNN, Computerworld, and The Register reported on the investment.^[2][10] The CIA said it would use the technology primarily to protect the anonymity of its own employees, though In-Q-Tel did not deny other possible intelligence applications.^[1]

Triangle Boy and censorship circumvention

SafeWeb developed TriangleBoy, a software tool designed to circumvent internet censorship by governments.^[6] The software enabled volunteers worldwide to turn their personal computers into proxy relays for SafeWeb's anonymization service. Users' requests passed through these third-party computers so that SafeWeb's own server IP addresses stayed hidden from national firewalls.^[6][8]

In-Q-Tel funded the development of Triangle Boy, and the Broadcasting Board of Governors (BBG) provided funding to SafeWeb to set up proxy servers specifically to help Chinese internet users access Voice of America and Radio Free Asia websites, which were regularly blocked by the Chinese government.^[11][12] Voice of America operated a pilot project with SafeWeb using 12 dedicated machines running Triangle Boy software.^[13]

In January 2002, Stephen Hsu testified before the U.S.-China Economic and Security Review Commission about SafeWeb's censorship circumvention efforts.^[14] Hsu had previously presented Triangle Boy at DEF CON 9 in July 2001 in Las Vegas, in a talk titled "SafeWeb's Triangle Boy: IP Spoofing and Strong Encryption in Service of a Free Internet."^[15]

The Chinese government responded by blocking SafeWeb's servers, in what Voice of America described as a "cat-and-mouse game."^[8] Clayton, Murdoch, and Watson (2006) described Triangle Boy as an early anti-censorship technique that used distributed proxies to evade IP-based blocking.^[16]

Pivot to enterprise security

In November 2001, SafeWeb shut down its free anonymous browsing service.^[17] The company cited the high cost of bandwidth, a lack of advertising revenue, and the economic downturn following the dot-com bubble collapse and September 11 attacks as reasons for the shutdown.^[17]

In January 2002, Jon Chun became CEO, having served as president since the company's founding.^[9][18] SafeWeb pivoted to the enterprise security market with the Secure Extranet Appliance (SEA) Tsunami, a rack-mounted hardware appliance that provided secure remote access over the internet using SSL/TLS encryption built into standard web browsers.^[3] Users did not need to install VPN client software, making it cheaper and simpler to deploy than traditional IPsec VPNs.^[3][19]

Acquisition by Symantec

On October 15, 2003, Symantec acquired SafeWeb for $26 million in cash.^[3][20] The acquisition was part of a wave of consolidation in the SSL VPN market: NetScreen Technologies acquired Neoteris for $265 million earlier that same month, and F5 Networks purchased uRoam for $25 million in July 2003.^[3]

Analyst firm Infonetics Research projected the SSL VPN market would exceed $600 million by 2006.^[3]

NetScreen Technologies had previously turned to SafeWeb in 2002 for OEM SSL VPN technology before ultimately choosing to acquire Neoteris instead.^[21] Symantec senior director of product management Barry Cioe described SafeWeb as "the perfect fit for a security technology acquisition."^[22]

Symantec launched the Symantec Clientless VPN Gateway 4400 series in the first quarter of 2004, based on SafeWeb's technology, with prices starting at $9,495.^[23] Symantec subsequently integrated the SSL VPN capabilities into its Symantec Gateway Security appliance product line.^[3]

SafeWeb's technology continued through multiple corporate transitions. Symantec's enterprise security division, including former SafeWeb intellectual property, was acquired by Broadcom Inc. in 2019.^[24]

Anonymizing proxy

SafeWeb's consumer anonymization service used 128-bit SSL encryption to create an encrypted tunnel between the user's browser and SafeWeb's proxy servers. The proxy intercepted all HTTP requests, fetched pages on the user's behalf, and rewrote embedded links so that subsequent requests continued to route through SafeWeb.^[25] The service disabled cookies and scripts and hid the user's IP address.^[10] SafeWeb's underlying PrivacyMatrix technology was evaluated by In-Q-Tel as meeting the CIA's security requirements.^[4]

Triangle Boy

Triangle Boy used a distributed network of volunteer relay computers to obscure SafeWeb's server IP addresses from censors.^[6] When a user in a censored country connected to a random volunteer relay, the relay forwarded the request to SafeWeb's encrypted servers, which returned the content directly to the user while masquerading the traffic as originating from the relay node.^[6][13] Clayton, Murdoch, and Watson (2006) described Triangle Boy as an early example of using distributed proxies to evade national firewalls.^[16]

SEA Tsunami SSL VPN appliance

The Secure Extranet Appliance (SEA) Tsunami was a 1U rack-mounted appliance running a hardened Linux operating system that provided "clientless" SSL VPN access through standard web browsers.^[19][26] The appliance supported web-based reverse proxy access, port forwarding for TCP/IP applications, and integration with LDAP directory services for authentication.^[5][19] The U.S. Naval Medical Information Management Center selected SafeWeb's Tsunami SSL VPN for secure remote access.^[27]