search

hotsh / rstat.us

Simple microblogging network based on the ostatus protocol.
http://rstat.us/
Other
722 stars 215 forks source link

Loading third-party content leaks private data #599

Open doherty opened 12 years ago

doherty commented 12 years ago

It would be nice to limit or eliminate loading third-party content from the browser. Instead, your application could proxy and/or cache gravatar images, for example. Techniques for doing this were described by Micah Lee at HOPE9.

wilkie commented 12 years ago

What private data? All information is public, so it is leaking nothing since a man-in-the-middle would see nothing any other user wouldn't see. The point of HTTPS on rstat.us is to prevent man-in-the-middle writes, not reads. Although how well SSL guarantees this is very debatable.

If anonymity of access is what you want, then I'd advise a strategy such as tor. Your strategies are not practical nor that necessary for self-hosting.

On Sun, Aug 19, 2012 at 5:26 PM, Mike Doherty notifications@github.comwrote:

It would be nice to limit or eliminate loading third-party content from the browser. Instead, your application could proxy and/or cache gravatar images, for example. Techniques for doing this were described by Micah Lee at HOPE9 https://www.youtube.com/watch?v=q38HdGGWS78.

— Reply to this email directly or view it on GitHubhttps://github.com/hotsh/rstat.us/issues/599.

doherty commented 12 years ago

Yes, I have strategies to cope with websites that include third-party resources. That doesn't mean we shouldn't make things better for others.

While a given user may trust you and your privacy policy, they may not trust Twitter and Twitter's. Asking their browser to automatically load content from Twitter, which can reveal a lot of that user's private information (IP, User Agent string, and much more) to Twitter, is worth avoiding if possible.

This has nothing to do with SSL; the same would apply with HTTP.

wilkie commented 12 years ago

True. A server would have to proxy through somewhere (unless revealing the server IP is not important) and store the resulting images on the server to avoid exposing any client requests to Twitter or gravatar. Caching gravatar images would put a decent load on the rstat.us nodes and increase the disk usage and requires hosting with read/write storage or the storing of images in the database, which is impractical for rstat.us self-hosted nodes. The solution there is to only cache sometimes, upon configuration, and run your node off of a proxy/anonymous routing if you really don't want gravatar to know your laptop's IP and/or your server's IP.

Granted, a solution like this is necessary for times when profile avatars change off-site, yet do not send a notification to the node. Such as issue

418 where the avatar links break with a silly fix in pull request #496.

That said, as much as one may implement a small circle of trust, one who cares about this type of anonymity should use tor instead of trusting even rstat.us with their IP and should anonymize their user agent string, among other things.

On Sun, Aug 19, 2012 at 8:19 PM, Mike Doherty notifications@github.comwrote:

Yes, I have strategies to cope with websites that include third-party resources. That doesn't mean we shouldn't make things better for others.

While a given user may trust you and your privacy policy, they may not trust Twitter and Twitter's. Asking their browser to automatically load content from Twitter, which can reveal a lot of that user's private information (IP, User Agent string, and much more) to Twitter, is worth avoiding if possible.

This has nothing to do with SSL; the same would apply with HTTP.

— Reply to this email directly or view it on GitHubhttps://github.com/hotsh/rstat.us/issues/599#issuecomment-7858423.

doherty commented 12 years ago

I appreciate your advice, but this is not about protecting me, it is about protecting visitors to my node.

Certainly there are difficulties in avoiding loading third-party resources, but they are not insurmountable. As I mentioned before, there was an excellent talk on this topic at HOPE this year.

wilkie commented 12 years ago

I'm not giving you advice. You are smart and informed; you know this stuff already. But, you didn't say it, so I did.

I'm listing alternative measures (workarounds, things people could do in the meantime, reasons for perhaps not solving the issue) and I'm listing obstacles (things that get in the way of particular solutions) and I'm listing reasons for solving the issue in the pursuit of solving the issue you've raised.

Thank you for raising it. :)

On Sun, Aug 19, 2012 at 10:33 PM, Mike Doherty notifications@github.comwrote:

I appreciate your advice, but this is not about protecting me, it is about protecting visitors to my node.

Certainly there are difficulties in avoiding loading third-party resources, but they are not insurmountable. As I mentioned before, there was an excellent talk on this topic at HOPE this year.

— Reply to this email directly or view it on GitHubhttps://github.com/hotsh/rstat.us/issues/599#issuecomment-7859551.