#1942 closed task

replace google chart in wui with d3.js: it leaks information — at Version 13

Reported by: leif Owned by: nobody
Priority: normal Milestone: eventually
Component: code-frontend-web Version: 1.9.2
Keywords: anonymity privacy security websec tor-protocol i2p Cc: tahoe-lafs@…
Launchpad Bug:

Description (last modified by zooko)

The timing chart on the mutable file upload status page is rendered by http://chart.apis.google.com.

This reveals the IDs and latencies of storage servers to Google, as well as anyone able to observe the network between Google and the web browser.

I think this is generally undesirable, but it is particularly problematic for users of grids hosted on i2p or Tor hidden services.

It is possible (if not likely) that anonymity-desiring users are running tahoe under an LD-preload tool (such as torsocks/usewithtor) but are connecting to their WUI using a non-torified browser because they expect it to only connect to localhost. When they browse to the mutable file upload status page containing this chart, they'll inadvertently reveal themselves to be a user of the grid.

Warner suggested in email that this chart should instead be rendered locally with d3.js, which is already being used for the download timeline.

The code which constructs the google chart URL is in src/allmydata/web/status.py and might also be used on pages besides the mapupdate page where I noticed it.

Change History (14)

comment:1 Changed at 2013-04-10T19:19:18Z by gdt

Further, the very fact that anything is downloaded from any third-party server is a serious privacy bug.

comment:2 Changed at 2013-04-10T22:12:14Z by daira

  • Keywords integrity confidentiality security capleak added
  • Owner changed from davidsarah to daira
  • Status changed from new to assigned

+1. It also potentially gives Google access to other pages (that are related in the browsing history) of the gateway's local origin.

We should put a note in docs/known_issues.rst for 1.10, and switch to using d3.js for 1.11.

There don't appear to be any other uses of Google Charts other than the mutable servermap update status page.

Last edited at 2014-03-05T02:47:48Z by daira (previous) (diff)

comment:3 Changed at 2013-04-11T11:50:00Z by warner

  • Component changed from unknown to code-frontend-web
  • Milestone changed from undecided to 1.10.0

Adding to 1.10 to remind me to update known_issues.rst. Will retarget to 1.11 after that to cover the d3.js rewrite.

BTW I was careful to only have this chart on a page whose URL has no secrets (it just has the storage index, which is also exposed to storage servers), but I agree that a JS-enabled browser or a non-Tor-ified browser would experience a privacy/access problem. Oops.

comment:4 Changed at 2013-04-11T18:25:32Z by flamsmark

  • Cc tahoe-lafs@… added

comment:5 Changed at 2013-04-11T21:07:01Z by warner

Oh, wait, I remember thinking about this. No, the chart that is loaded is an IMG tag (and google generally returns a PNG). Everything Leif said is correct, but it does *not* give google access to the rest of the origin (if it were including JS or CSS or something active, it would, but a plain IMG tag won't load anything active). I briefly had code to generate a PNG in the tahoe client itself, but that added a dependency on the PIL library which seemed a bit big.

I think d3.js is the right way to go: it doesn't make the python-side code any bigger, the JS library is already in our tree, and I'm ok with not giving timelines to folks who have JS turned off.

comment:6 Changed at 2013-04-12T04:48:52Z by daira

It used to be possible to same-origin-attack a browser using JavaScript in an SVG file loaded by an img tag (http://www.librador.com/2011/03/09/Dangers-of-SVG-and-the-img-tag/), but apparently recent browsers do not load JavaScript in that case (http://stackoverflow.com/questions/7917008/xss-when-loading-untrusted-svg-using-img-tag).

comment:7 Changed at 2013-04-12T15:26:05Z by daira

  • Keywords integrity confidentiality removed

comment:8 follow-up: Changed at 2013-04-15T05:28:12Z by Brian Warner <warner@…>

In 3a18157456951841:

known_issues: document the google-chart-API privacy leak. Refs #1942.

comment:9 Changed at 2013-04-15T05:32:43Z by warner

  • Milestone changed from 1.10.0 to 1.11.0
  • Owner changed from daira to nobody
  • Status changed from assigned to new
  • Summary changed from google chart in wui leaks information to replace google chart in wui with d3.js: it leaks information
  • Type changed from defect to task

Ok, that patch updates known_issues.rst . We can now turn this ticket into "replace the timing chart with local d3.js".

BTW, the leak was even smaller than I thought: the referrer URL only contains the count of mapupdate operations (basically any mutable-file read or write) since last node boot. It doesn't even include the storage-index of the file.

comment:10 Changed at 2013-04-15T16:11:07Z by daira

  • Keywords capleak removed

Reviewed the known_issues text, +1.

comment:11 in reply to: ↑ 8 Changed at 2013-04-15T19:45:26Z by leif

Replying to Brian Warner <warner@…>:

In 3a18157456951841:

known_issues: document the google-chart-API privacy leak. Refs #1942.

I think instead of "reveal your use of Tahoe to the outside world" it would be better to say "reveal your use of that grid to the outside world", since the chart URL contains storage server IDs.

comment:12 Changed at 2013-04-23T23:40:25Z by Brian Warner <warner@…>

In 02975d188735a59f:

known_issues: update chart-API text, with suggestions from Leif. refs #1942

comment:13 Changed at 2013-09-14T17:38:32Z by zooko

  • Description modified (diff)
  • Keywords websec added
Note: See TracTickets for help on using tickets.