Alexa hover and privacy concerns

[rrsd]

First off, our new zimbraserver rocks. Hands-down straight-up rocks. I've run everything from sendmail to exchange, and zimbra has them smoked. Thanks for the effort developing it, and double-thanks for showing the world how FOSS can be the foundation for a viable business model.

With regard to the URL hover, I've got some concerns about it. First off, Alexa/A9/whatever has a bit of a reputation problem, and while I'm neutral as far as opinion on this goes, it is something I take into account. It should also be noted that the blacklist we obtain from a trusted source for our squidGuard filtering proxy classifies alexa.com as "spyware."

More importantly, we are a school district, so confidentiality is a legal requirement as well as an ethical neccessity for us. It's something I take seriously.

What i'm concerned about is what data is leaking from clients when the hover is called up. What is going out? is it a "give me foo.com picture" or is it "give me foo.com/sessid?something_important_that_shouldnt_be_in_a_U RL_but_is_anyway?" And if needed, how do I disable the URL hover from the admin console?

Cheers

[dijichi2]

you can turn it off by disabling the zimlet:

zmzimletctl disable com_zimbra_url

i would like to be able to view the actual link behind the url as you can't see it in the browser status bar as you usually can. this is a real security risk as people can't see for instance phishing links.

[phoenix]

i would like to be able to view the actual link behind the url as you can't see it in the browser status bar as you usually can. this is a real security risk as people can't see for instance phishing links.

You could have a look at 'url.js' inside the zimlet file at this location /opt/zimbra/zimlets/com_zimbra_url.zip/ - that has details of the url. Does that know what you need?

[dijichi2]

huh? i want customers using the email to be able to look at the link they're about to click on.

[phoenix]

huh? i want customers using the email to be able to look at the link they're about to click on.

Oh, I see. That wasn't quite clear to me from what you posted.

[unilogic]

Yea it’s quite easy to forge a link. Its seems to be kind of ok in zimbra's case since it goes out to alexa for a thumbnail instead of the site its self, but still if a user was to click on the link it would open the hidden URL. There is no real good way implemented to show the user, like dijichi2 said in the status bar the actual URL, they're about to click on a nasty URL. Something I also think should be taken care of soon. If there’s not a bugzilla report on it. I'll make one soon.

On the other subject of this thread of what its doing when the client does a mouse over a link. Here a capture of the HTTP packet when the client does HTTP get for the thumbnail from alexa. 192.168.10.2 is the client with the web UI open. 209.237.237.99 is pthumbnails.alexa.com, decem.unilogiclabs.com is my zimbra server. http://www.msn.com is the link that thumbnail is for.

Code:

Internet Protocol, Src: 192.168.10.2 (192.168.10.2), Dst: 209.237.237.99 (209.237.237.99)
Transmission Control Protocol, Src Port: 3731 (3731), Dst Port: http (80)

Hypertext Transfer Protocol
    GET /image_server.cgi?id=decem.unilogiclabs.com&url=http://www.msn.com/ HTTP/1.1\r\n
        Request Method: GET
        Request URI: /image_server.cgi?id=decem.unilogiclabs.com&url=http://www.msn.com/
        Request Version: HTTP/1.1
    Host: pthumbnails.alexa.com\r\n
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2\r\n
    Accept: image/png,*/*;q=0.5\r\n
    Accept-Language: en-us,en;q=0.5\r\n
    Accept-Encoding: gzip,deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Keep-Alive: 300\r\n
    Connection: keep-alive\r\n
    \r\n

So it does id your server to alexa but that’s all. My question is why is it necessary to id the zimba server to the alexa server. The link works fine without the id, ie.

Code:

http://pthumbnails.alexa.com/image_server.cgi?url=http://www.msn.com/

I'd personally rather not have alexa knowing the hostname of my server every time a client views a thumbnail. Also to note once a client views a thumbnail, zimbra seems to cache it. Hope that helps.

Ben

Edit: Added Bug 7313 for the mouse hover URL in status bar problem, http://bugzilla.zimbra.com/show_bug.cgi?id=7313

[rrsd]

Nice analysis - thanks!

I'm curious what that request looks like if you're clicking on something other than the front page of a website, particularly in a case where the URL has session or related information.

[unilogic]

I'd take an educated guess that whatever the url is it just pastes it in to the url= portion of the alexa link, so it would pass on any information. I don't know what alexa's policy is on information and such, which may be something you want to look up.

[KevinH]

So it does id your server to alexa but that’s all. My question is why is it necessary to id the zimba server to the alexa server. The link works fine without the id, ie.

Code:

http://pthumbnails.alexa.com/image_server.cgi?url=http://www.msn.com/

I'd personally rather not have alexa knowing the hostname of my server every time a client views a thumbnail. Also to note once a client views a thumbnail, zimbra seems to cache it. Hope that helps.

The id is required by Alexa's TOS. It works without and if you spoof a bad id or something bogus, but that's against their TOS. All of this code is in the URL zimlet so if somebody wanted to they could modify their own version.

The caching is done by the browser. We use a simple img include to fetch the thumbnail, which allows the browser to cache it.

[KevinH]

I'd take an educated guess that whatever the url is it just pastes it in to the url= portion of the alexa link, so it would pass on any information. I don't know what alexa's policy is on information and such, which may be something you want to look up.

Correct. The entire URL is passed. This lets Alexa show a different thumbnail for different site areas if possible. So www.zimbra.com and www.zimbra.com/forums could get a different thumbnail. Maybe a better solution would be to strip anything after a ? or the first /.

This way you only send the root URL and up to one level of path information.