-
-See also cautions.rst_.
+.. -*- coding: utf-8-with-signature -*-
-.. _cautions.rst: file:cautions.rst
+See also `cautions.rst`_.
+
+.. _cautions.rst: cautions.rst
============
Known Issues
.. _the "historical known issues" document: historical/historical_known_issues.txt
-Known Issues in Tahoe-LAFS v1.9.2, released 3-Jul-2012
-======================================================
+Known Issues in Tahoe-LAFS v1.10.2, released 30-Jul-2015
+========================================================
* `Unauthorized access by JavaScript in unrelated files`_
* `Disclosure of file through embedded hyperlinks or JavaScript in that file`_
* `Capabilities may be leaked to web browser phishing filter / "safe browsing" servers`_
* `Known issues in the FTP and SFTP frontends`_
* `Traffic analysis based on sizes of files/directories, storage indices, and timing`_
+ * `Privacy leak via Google Chart API link in map-update timing web page`_
----
structure. Also, users that access the same files may be related to each other.
+----
+
+Privacy leak via Google Chart API link in map-update timing web page
+--------------------------------------------------------------------
+
+The Tahoe web-based user interface includes a diagnostic page known as the
+"map-update timing page". It is reached through the "Recent and Active
+Operations" link on the front welcome page, then through the "Status" column
+for "map-update" operations (which occur when mutable files, including
+directories, are read or written). This page contains per-server response
+times, as lines of text, and includes an image which displays the response
+times in graphical form. The image is generated by constructing a URL for
+the `Google Chart API`_, which is then served by the `chart.apis.google.com`
+internet server.
+
+.. _Google Chart API: https://developers.google.com/chart/image/
+
+When you view this page, several parties may learn information about your
+Tahoe activities. The request will typically include a "Referer" header,
+revealing the URL of the mapupdate status page (which is typically something
+like "http://127.0.0.1:3456/status/mapupdate-123") to network observers and
+the Google API server. The image returned by this server is typically a PNG
+file, but either the server or a MitM attacker could replace it with
+something malicious that attempts to exploit a browser rendering bug or
+buffer overflow. (Note that browsers do not execute scripts inside IMG tags,
+even for SVG images).
+
+In addition, if your Tahoe node connects to its grid over Tor or i2p, but the
+web browser you use to access your node does not, then this image link may
+reveal your use of Tahoe (and that grid) to the outside world. It is not
+recommended to use a browser in this way, because other links in Tahoe-stored
+content would reveal even more information (e.g. an attacker could store an
+HTML file with unique CSS references into a shared Tahoe grid, then send your
+pseudonym a message with its URI, then observe your browser loading that CSS
+file, and thus link the source IP address of your web client to that
+pseudonym).
+
+A future version of Tahoe will probably replace the Google Chart API link
+(which was deprecated by Google in April 2012) with client-side javascript
+using d3.js, removing the information leak but requiring JS to see the chart.
+See ticket `#1942`_ for details.
+
+.. _#1942: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1942
+
----
Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011
could write the corrupted data back into place, making the damage
persistent)
-
-.. _#1654: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654
-
----
Known Issues in Tahoe-LAFS v1.8.2, released 30-Jan-2011