[tahoe-lafs-trac-stream] [tahoe-lafs] #1942: google chart in wui leaks information
tahoe-lafs
trac at tahoe-lafs.org
Wed Apr 10 18:33:37 UTC 2013
#1942: google chart in wui leaks information
-------------------------------+----------------------------
Reporter: leif | Owner: davidsarah
Type: defect | Status: new
Priority: normal | Milestone: undecided
Component: unknown | Version: 1.9.2
Keywords: anonymity privacy | Launchpad Bug:
-------------------------------+----------------------------
The timing chart on the mutable file upload status page is rendered by
http://chart.apis.google.com.
This reveals the IDs and latencies of storage servers to Google, as well
as anyone able to observe the network between Google and the web browser.
I think this is generally undesirable, but it is particularly problematic
for users of grids hosted on i2p or Tor hidden services.
It is possible (if not likely) that anonymity-desiring users are running
tahoe under an LD-preload tool (such as torsocks/usewithtor) but are
connecting to their WUI using a non-torified browser because they expect
it to only connect to localhost. When they browse to the mutable file
upload status page containing this chart, they'll inadvertently reveal
themselves to be a user of the grid.
Warner suggested in email that this chart should instead be rendered
locally with d3.js, which is already being used for the download timeline.
The code which constructs the google chart URL is in
src/allmydata/web/status.py and might also be used on pages besides the
mapupdate page where I noticed it.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1942>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list