From: Brian Warner Date: Tue, 23 Apr 2013 23:39:53 +0000 (-0700) Subject: known_issues: update chart-API text, with suggestions from Leif. refs #1942 X-Git-Tag: allmydata-tahoe-1.10.0b2~3 X-Git-Url: https://git.rkrishnan.org/(%5B%5E?a=commitdiff_plain;h=02975d188735a59f6b92b394402f184eb11b15f7;p=tahoe-lafs%2Ftahoe-lafs.git known_issues: update chart-API text, with suggestions from Leif. refs #1942 --- diff --git a/docs/known_issues.rst b/docs/known_issues.rst index 88aa88f6..4e349394 100644 --- a/docs/known_issues.rst +++ b/docs/known_issues.rst @@ -279,13 +279,14 @@ buffer overflow. (Note that browsers do not execute scripts inside IMG tags, even for SVG images). In addition, if your Tahoe node connects to its grid over Tor or i2p, but the -web browser you use to access it does not, then this image link may reveal -your use of Tahoe to the outside world. It is not recommended to use a -browser in this way, because other links in Tahoe-stored content would reveal -even more information (e.g. an attacker could store an HTML file with unique -CSS references into a shared Tahoe grid, then send your pseudonym a message -with its URI, then observe your browser loading that CSS file, and thus link -the source IP address of your web client to that pseudonym). +web browser you use to access your node does not, then this image link may +reveal your use of Tahoe (and that grid) to the outside world. It is not +recommended to use a browser in this way, because other links in Tahoe-stored +content would reveal even more information (e.g. an attacker could store an +HTML file with unique CSS references into a shared Tahoe grid, then send your +pseudonym a message with its URI, then observe your browser loading that CSS +file, and thus link the source IP address of your web client to that +pseudonym). A future version of Tahoe will probably replace the Google Chart API link (which was deprecated by Google in April 2012) with client-side javascript