Stop caps from leaking to phishing-filter servers #907
Labels
No labels
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: tahoe-lafs/trac-2024-07-25#907
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Some phishing filters send URLs to a filter on some other machine. That's a bad idea and probably not very effective at preventing phishing, but they do it anyway. However, they strip query parts before sending it to the filter (according to Tyler Close and the web calculus documentation).
The webapi accepts URLs of the form
<http://host:port/uri?uri>=..., but it redirects to an URL of the form<http://host:port/uri/>.... We should prefer to put the cap in the query, and we should probably also allow the shorter form<http://host:port/>?....Stop caps from leaking to phishing filtersto Stop caps from leaking to phishing-filter serversReplying to davidsarah:
http://waterken.sourceforge.net/web-key/#browser_how
Actually that would cause a regression in #52, because the query part isn't taken into account when resolving relative URLs. I don't know how to avoid that problem. Perhaps the answer is simply to document that users should turn phishing filters off.
Attachment phishing-leak-diff.txt (50433 bytes) added
Document leakage of cap URLs via phishing filters in known_issues.txt
Applied in changeset:8a43361aaa7f1201. Thank you!
Since this is now documented as a [known issue]source:docs/known_issues.rst (with instructions on how to disable IE's phishing filter), I'm downgrading it to minor.
Bumping back up to major, because it appears that Firefox 3 does have a phishing filter that is enabled by default. The Firefox prefs UI does a poor job of labelling this as what it is: it's enabled by the "Block reported attack sites" and "Block reported web forgeries" options in the Tools | Options... | Security tab. The filter server provider is Google's "Safe browsing API".
It appears from the specification that the "safe browsing API" protocol is not vulnerable in a way that would affect Tahoe. 32 bits of information about any particular URL is potentially leaked, but that would not be enough to either guess a cap or apply a cryptanalytic attack.
Here's a news story about an accusation that Google Chrome sends back a lot of information about the URL to a remote server:
http://arstechnica.com/microsoft/news/2010/03/microsoft-google-chrome-doesn-your-privacy-microsoft-google-chrome-doesnt-respect-your-privacy.ars
Replying to zooko:
I cannot reproduce the alleged behaviour of the address bar search at all using Chrome 5.0.366.2 dev. Perhaps it has been fixed since Chrome 3.
The documentation about this in docs/known_issues.txt (now source:docs/known_issues.rst) was updated in changeset:15b65ae54b199345.