From 3a18157456951841d268dfc00ad63f8c97a0056d Mon Sep 17 00:00:00 2001 From: Brian Warner Date: Sun, 14 Apr 2013 22:27:03 -0700 Subject: [PATCH] known_issues: document the google-chart-API privacy leak. Refs #1942. --- docs/known_issues.rst | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/docs/known_issues.rst b/docs/known_issues.rst index a4a342ab..88aa88f6 100644 --- a/docs/known_issues.rst +++ b/docs/known_issues.rst @@ -27,6 +27,7 @@ Known Issues in Tahoe-LAFS v1.9.2, released 3-Jul-2012 * `Capabilities may be leaked to web browser phishing filter / "safe browsing" servers`_ * `Known issues in the FTP and SFTP frontends`_ * `Traffic analysis based on sizes of files/directories, storage indices, and timing`_ + * `Privacy leak via Google Chart API link in map-update timing web page`_ ---- @@ -252,6 +253,47 @@ time are likely to be related even if they are not linked in the directory structure. Also, users that access the same files may be related to each other. +---- + +Privacy leak via Google Chart API link in map-update timing web page +-------------------------------------------------------------------- + +The Tahoe web-based user interface includes a diagnostic page known as the +"map-update timing page". It is reached through the "Recent and Active +Operations" link on the front welcome page, then through the "Status" column +for "map-update" operations (which occur when mutable files, including +directories, are read or written). This page contains per-server response +times, as lines of text, and includes an image which displays the response +times in graphical form. The image is generated by constructing a URL for the +`Google Chart API `_, which is +then served by the `chart.apis.google.com` internet server. + +When you view this page, several parties may learn information about your +Tahoe activities. The request will typically include a "Referer" header, +revealing the URL of the mapupdate status page (which is typically something +like "http://127.0.0.1:3456/status/mapupdate-123") to network observers and +the Google API server. The image returned by this server is typically a PNG +file, but either the server or a MitM attacker could replace it with +something malicious that attempts to exploit a browser rendering bug or +buffer overflow. (Note that browsers do not execute scripts inside IMG tags, +even for SVG images). + +In addition, if your Tahoe node connects to its grid over Tor or i2p, but the +web browser you use to access it does not, then this image link may reveal +your use of Tahoe to the outside world. It is not recommended to use a +browser in this way, because other links in Tahoe-stored content would reveal +even more information (e.g. an attacker could store an HTML file with unique +CSS references into a shared Tahoe grid, then send your pseudonym a message +with its URI, then observe your browser loading that CSS file, and thus link +the source IP address of your web client to that pseudonym). + +A future version of Tahoe will probably replace the Google Chart API link +(which was deprecated by Google in April 2012) with client-side javascript +using d3.js, removing the information leak but requiring JS to see the chart. +See ticket `#1942`_ for details. + +.. _#1942: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1942 + ---- Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011 -- 2.37.2