pad url is leaked whenever a link is clicked #1603
Comments
|
+1 for your analyis, which was on top of my list for a similar publication. use method (C):pad address as anchor part of the URL (#…) which is never sent to server.is perfect and fully analysed for example in links mentioned here owncloud/core#106 (comment) and other articles related to client-side encryption, which often uses this property. But how shall our entitled pad server know our pad url, it needs that ? Look here to understand: a "hidden" encryption is perhaps to be used to enable that: from https://github.com/sebsauvage/ZeroBin <img src=http://sebsauvage.net/wiki/lib/exe/fetch.php?media=php:zerobin:zerobin_figure_encryption.png> |
|
Welcome to see proposals and their relevant patches for this issue |
|
Yeah, I prefer (C) precisely because it is what will be needed eventually to support client-encrypted pads. But it is not a minor change. |
|
see https://github.com/toberndo/mailvelope project which solves a similar (if not, the same) issue. "Mailvelope is a browser extension for Google Chrome and Firefox that allows secure email communication based on the OpenPGP standard. It can be configured to work with arbitrary Webmail provider." |
|
Ouch, I was counting on the links not being sent as referrers when https was being used. I should have tested this! Option C, as Wikinaut has described would be the more complete solution and would enable a lot more for the future, but could take a long time to get there. It seems to me that option D is the easiest to implement and would resolve this security issue fast, in terms of not letting the perfect be the enemy of the good. A fast resolution to this issue seems more important at this point. |
|
My understanding of the etherpad lite architecture - which might be outdated - is that option (c) would actually not be that hard. From what i remember the initial page loaded by etherpad is always the same. Then the js parses the url and makes ajax requests to retrieve the pad specific content. These requests contain the pad id. But for the initial request the server does not make use of the pad id anyway. |
|
Option E: Rewrite the URLs with a Dereferer-Service like http://www.dereferer.org http://www.google.de -> http://www.dereferer.org/?http%3A%2F%2Fwww%2Egoogle%2Ede |
|
mh. could be an option, but I daresay a third-party service might not be |
|
Btw C would be quick/easy to solve/implement should anyone be interested in sponsoring me to dev it. |
|
Another option is to place this feature request on http://etherpad.idea.informer.com/ and get enough votes for the community to fund the dev |
|
Some NFPs are sponsoring 2 hours of my dev time on option D, will see where that gets us to |
|
Holy shit, there was just a glitch in the matrix. It appears that Chrome has started to send the location.hash in the referer header. Steps to reproduce:
Sure enough, just as the what-is-my-referrer page says, the referer header is being sent with the location hash: This is new behavior, and violates the RFC. Lets review the RFC 2616 language on referers: What is a fragment? "The fragment identifier introduced by a hash mark # is the optional last part of a URL for a document. It is typically used to identify a portion of that document." (src). This is not the first time Chrome has violated an important aspect of the HTTP RFCs, won't be the last. This change must certainly be deliberate. Sadly, I think that (D) "interstitial page" is the only option that makes sense at the moment. |
|
Doing a prompt and an interstitial page as a fix anyway, I don't trust browsers. |
|
Btw accepting donations if anyone wants this to move faster / spend more time on it. :) |
|
+1 ;) |
|
i can't reproduce the problem described by elijh here, i get this as a referer: this is Chromium Version 27.0.1453.93 Debian 7.0 (200836) |
|
Either way I don't trust the browser so don't worry about it. Will make the server do the heavy lifting. |
|
Really weird, I am no longer able to reproduce fragment in the referrer. So, it must have been a non-deterministic bug in my version of Chromium. I will try to reproduce. |
|
So I took a alternative route to fixing this problem in my latest commit. I basically store the url to a cookie and read that out when redirecting.. https://github.com/JohnMcLear/ep_hide_referrer The url that is exposed to the third party is /redirect Can anyone think of a weakness in storing the url in a cookie and referring to it during redirect? |
|
Guess this way was strong enough.. Enjoy, closing.. |
|
Here's a test page, showing leaking pad URL to external links through HTTP referer. |
|
@joelpurra lulwut. MoPad is not running Etherpad. It's running an old abomination of Etherpad we don't even support any more. Tell MoPad to update or even better DONT USE MOPAD! |
|
@JohnMcLear: is the problem fixed in the latest etherpad then? |
|
@JohnMcLear: and where is a more recent public version I can test this on? |
|
http://etherpad.org -- Download and test it -- Read this issue. |
|
@JohnMcLear: guess it's not fixed: |
|
@JohnMcLear: so the problem is |
|
Applied |
|
Some people might not want this though.. We can't change default behaviour under people.. |
|
Could there be an option as described in #2731 ? It would be great to set two options in settings.json
and an adjustment in the link constructor accordingly. At the moment I use @JohnMcLear ep_hide_referrer but that requires a user interaction ( a click ) - if you could use your own refererrer that would not be necessary and the users weren't bothered with it :) |
|
Recent news about this issue for webadmins (or a possible inclusion into Etherpad): You can fix the referrer issue by using a CSP header (a relatively new security feature of major browsers). Just set the referrer value. E.g. in this way: FYI you can do much more with a CSP. Create your CSP here. |
|
Ther'es also |
|
Yes, in #3044, I added this. |
Before this patch I managed to send a bunch of referrers to third party websites with Firefox. Unfortunately, meta name="referrer" isn't enough. I added "noopener" because that's also what Nextcloud does. One may want to check another pull request from 2015 which may be more complete, but it was denied with a plugin proposal: ether#2498 References to earlier issues: ether#1603, ether#3043
|
Etherpad 1.8.0 changed its referrer policy and started sending Discussion & PR: #3636 Note to self about CSP: the use of CSP for configuring referrer policies has been deprecated. The current standard prescribes the use of |
The problem: if a user clicks on a link in the main body or in the chat, the referrer is sent by the browser to the new website showing the full url of the pad, thus revealing the pad's content and history. Typically, this referrer information information is logged and stored by the target website.
Why this is bad: most users probably do not realized that clicking on a link in a pad automatically shares the pad with the website they clicked on (!).
Solutions:
(A) HTML5 has a
noreferreroption for links, but is is not widely supported. Move along.(B) One option would be to disable the auto-links in etherpad. As far as I can tell, these can be disabled in ace2_inner.js
handleClick()and pad_utils.jsescapeHtmlWithClickableLinks().(C) Another option would be to change the way pad names are encoded in the URL to use the location hash instead of the path. For example, instead of
https://pad.riseup.net/p/0Jr0eetherpad could usehttps://pad.riseup.net/#0Jr0e. The location hash (anchor) is not sent as part of the referrer.(D) A final option is to create an interstitial page as part of etherpad. For example, every link would really go to
/redirect/, where it would then get auto redirected on to the target website. The final target website could be sent to the request to/redirecteither as a POST or in the location hash. For example, `/redirect#https%3A%2F%2Friseup.net%2Fwhat-is-my-referrer' would redirect to https://riseup.net/what-is-my-referrer.Option D seems to me that it is probably the best for the moment: it would be easy to implement and it retains the usability of clickable links. On the downside, interstitial pages are slightly annoying because they make it a bit slower to get to the site you want.
Notes:
https -- If the pad is loaded via https, then the referrer is only sent to other https websites. This is small comfort, but important to know if you are trying this at home.
chrome -- Chrome is not able to figure out what the referrer should be of the inner ace iframe. I suspect this is because it is dynamically generated. The result is that if you click on a link in a pad body using chrome, no referrer is sent. Firefox has no such confusion, and links from the chat always send referrer in all browsers.
testing -- You can use https://riseup.net/what-is-my-referrer as a link to test if the referrer is being sent by the browser. Make sure to specify
httpsand nothttpbecause the plainhttplink will redirect and erase the referrer.The text was updated successfully, but these errors were encountered: