The SAFE Browser Plugin currently does not secure your browsing session, and you are easily de-anonymized.
The way the browser plugin works is by redirecting all network requests to urls with “.safenet” in them, to the local port on your computer where the SAFE Launcher is running. This is extraordinarily insecure, and your web traffic can easily be compromised by using it.
The insecurity of the plugin is the downloaded proxy rules from the .pac file. The URL you added to your browser told it to download a list of rules that controls where your internet traffic goes. If an attacker wanted to read all of your internet traffic, they can intercept you downloading this .pac file, and replace it with their own proxy rules, making all of your page/image/file requests go through them.
Furthermore, the browser plugin does nothing to prevent clearnet traffic requests. If you’re on a *.safenet website, your browser will still download any images hosted on the regular web (the clearnet).
Firefox’s developer tools showing that even when you go to a .safenet URL, your browser is still downloading and mixing SAFEweb content with clearweb content.
And as the show stopper, google analytics tracking code is still run on safenet websites. Just include their code on your webpage, and anyone visiting your site will run it automatically. Several people are doing this to you right now on their own safesites.
Because of these issues, you are now uniquely identified as a SAFE user, and can be individually targeted as such.
I’ve written a simple guide the patching the SAFE Browser Plugin security hole. It eliminates the risk of a middleman attack, and stops the invasive clearnet downloading. So check that out if you want to protect yourself.
This is a community outreach and educational post, SAFE is still in alpha and I’m listing some of its alpha-version limitations.