From 3a18157456951841d268dfc00ad63f8c97a0056d Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Sun, 14 Apr 2013 22:27:03 -0700
Subject: [PATCH] known_issues: document the google-chart-API privacy leak.
 Refs #1942.

---
 docs/known_issues.rst | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/docs/known_issues.rst b/docs/known_issues.rst
index a4a342ab..88aa88f6 100644
--- a/docs/known_issues.rst
+++ b/docs/known_issues.rst
@@ -27,6 +27,7 @@ Known Issues in Tahoe-LAFS v1.9.2, released 3-Jul-2012
   *  `Capabilities may be leaked to web browser phishing filter / "safe browsing" servers`_
   *  `Known issues in the FTP and SFTP frontends`_
   *  `Traffic analysis based on sizes of files/directories, storage indices, and timing`_
+  *  `Privacy leak via Google Chart API link in map-update timing web page`_
 
 ----
 
@@ -252,6 +253,47 @@ time are likely to be related even if they are not linked in the directory
 structure. Also, users that access the same files may be related to each other.
 
 
+----
+
+Privacy leak via Google Chart API link in map-update timing web page
+--------------------------------------------------------------------
+
+The Tahoe web-based user interface includes a diagnostic page known as the
+"map-update timing page". It is reached through the "Recent and Active
+Operations" link on the front welcome page, then through the "Status" column
+for "map-update" operations (which occur when mutable files, including
+directories, are read or written). This page contains per-server response
+times, as lines of text, and includes an image which displays the response
+times in graphical form. The image is generated by constructing a URL for the
+`Google Chart API <https://developers.google.com/chart/image/>`_, which is
+then served by the `chart.apis.google.com` internet server.
+
+When you view this page, several parties may learn information about your
+Tahoe activities. The request will typically include a "Referer" header,
+revealing the URL of the mapupdate status page (which is typically something
+like "http://127.0.0.1:3456/status/mapupdate-123") to network observers and
+the Google API server. The image returned by this server is typically a PNG
+file, but either the server or a MitM attacker could replace it with
+something malicious that attempts to exploit a browser rendering bug or
+buffer overflow. (Note that browsers do not execute scripts inside IMG tags,
+even for SVG images).
+
+In addition, if your Tahoe node connects to its grid over Tor or i2p, but the
+web browser you use to access it does not, then this image link may reveal
+your use of Tahoe to the outside world. It is not recommended to use a
+browser in this way, because other links in Tahoe-stored content would reveal
+even more information (e.g. an attacker could store an HTML file with unique
+CSS references into a shared Tahoe grid, then send your pseudonym a message
+with its URI, then observe your browser loading that CSS file, and thus link
+the source IP address of your web client to that pseudonym).
+
+A future version of Tahoe will probably replace the Google Chart API link
+(which was deprecated by Google in April 2012) with client-side javascript
+using d3.js, removing the information leak but requiring JS to see the chart.
+See ticket `#1942`_ for details.
+
+.. _#1942: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1942
+
 ----
 
 Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011
-- 
2.45.2