known_issues: document the google-chart-API privacy leak. Refs #1942.

diff --git a/docs/known_issues.rst b/docs/known_issues.rst
index a4a342ab795fb187adc243d51a1afcfb0525cd7e..88aa88f6e3ef2214980aeae9d4a1b5f93fbfb159 100644 (file)
--- a/docs/known_issues.rst
+++ b/docs/known_issues.rst
@@ -27,6 +27,7 @@ Known Issues in Tahoe-LAFS v1.9.2, released 3-Jul-2012
   *  `Capabilities may be leaked to web browser phishing filter / "safe browsing" servers`_
   *  `Known issues in the FTP and SFTP frontends`_
   *  `Traffic analysis based on sizes of files/directories, storage indices, and timing`_
   *  `Capabilities may be leaked to web browser phishing filter / "safe browsing" servers`_
   *  `Known issues in the FTP and SFTP frontends`_
   *  `Traffic analysis based on sizes of files/directories, storage indices, and timing`_

+  *  `Privacy leak via Google Chart API link in map-update timing web page`_

 
 ----
 
 
 ----
 


@@ -252,6 +253,47 @@ time are likely to be related even if they are not linked in the directory
 structure. Also, users that access the same files may be related to each other.
 
 
 structure. Also, users that access the same files may be related to each other.
 
 

+----
+
+Privacy leak via Google Chart API link in map-update timing web page
+--------------------------------------------------------------------
+
+The Tahoe web-based user interface includes a diagnostic page known as the
+"map-update timing page". It is reached through the "Recent and Active
+Operations" link on the front welcome page, then through the "Status" column
+for "map-update" operations (which occur when mutable files, including
+directories, are read or written). This page contains per-server response
+times, as lines of text, and includes an image which displays the response
+times in graphical form. The image is generated by constructing a URL for the
+`Google Chart API <https://developers.google.com/chart/image/>`_, which is
+then served by the `chart.apis.google.com` internet server.
+
+When you view this page, several parties may learn information about your
+Tahoe activities. The request will typically include a "Referer" header,
+revealing the URL of the mapupdate status page (which is typically something
+like "http://127.0.0.1:3456/status/mapupdate-123") to network observers and
+the Google API server. The image returned by this server is typically a PNG
+file, but either the server or a MitM attacker could replace it with
+something malicious that attempts to exploit a browser rendering bug or
+buffer overflow. (Note that browsers do not execute scripts inside IMG tags,
+even for SVG images).
+
+In addition, if your Tahoe node connects to its grid over Tor or i2p, but the
+web browser you use to access it does not, then this image link may reveal
+your use of Tahoe to the outside world. It is not recommended to use a
+browser in this way, because other links in Tahoe-stored content would reveal
+even more information (e.g. an attacker could store an HTML file with unique
+CSS references into a shared Tahoe grid, then send your pseudonym a message
+with its URI, then observe your browser loading that CSS file, and thus link
+the source IP address of your web client to that pseudonym).
+
+A future version of Tahoe will probably replace the Google Chart API link
+(which was deprecated by Google in April 2012) with client-side javascript
+using d3.js, removing the information leak but requiring JS to see the chart.
+See ticket `#1942`_ for details.
+
+.. _#1942: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1942
+

 ----
 
 Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011
 ----
 
 Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011