Information leaking through web sockets

[pallix]

While analysing potential security problems wrt. anonymity/pseudonymity, the following came to my mind:

Websockets can be used to be notified of the creation/change/removal of resources. Subscription can be done on any resources by the user, there is no permission check. The content of the resource is not sent, only the path.

This could be use to:

• obtain meta-information about private processes such as the number of proposals created, the numbers of comments created etc.
• know how many bplaene are created
• in general, obtain meta-information on resources not accessible because of permission restrictions

[joka]

The root problem is the software architecture. The websocket server is an external service without authentication/authorization and not part of the pyramid backend. With this setup Its not possible to prevent information leaks for things that rely on the permission system.