Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Alexa hover and privacy concerns

  1. #1
    rrsd is offline Intermediate Member
    Join Date
    Apr 2006
    Posts
    15
    Rep Power
    9

    Default Alexa hover and privacy concerns

    First off, our new zimbraserver rocks. Hands-down straight-up rocks. I've run everything from sendmail to exchange, and zimbra has them smoked. Thanks for the effort developing it, and double-thanks for showing the world how FOSS can be the foundation for a viable business model.

    With regard to the URL hover, I've got some concerns about it. First off, Alexa/A9/whatever has a bit of a reputation problem, and while I'm neutral as far as opinion on this goes, it is something I take into account. It should also be noted that the blacklist we obtain from a trusted source for our squidGuard filtering proxy classifies alexa.com as "spyware."

    More importantly, we are a school district, so confidentiality is a legal requirement as well as an ethical neccessity for us. It's something I take seriously.

    What i'm concerned about is what data is leaking from clients when the hover is called up. What is going out? is it a "give me foo.com picture" or is it "give me foo.com/sessid?something_important_that_shouldnt_be_in_a_U RL_but_is_anyway?" And if needed, how do I disable the URL hover from the admin console?

    Cheers

  2. #2
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    you can turn it off by disabling the zimlet:

    zmzimletctl disable com_zimbra_url

    i would like to be able to view the actual link behind the url as you can't see it in the browser status bar as you usually can. this is a real security risk as people can't see for instance phishing links.

  3. #3
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by dijichi2
    i would like to be able to view the actual link behind the url as you can't see it in the browser status bar as you usually can. this is a real security risk as people can't see for instance phishing links.
    You could have a look at 'url.js' inside the zimlet file at this location /opt/zimbra/zimlets/com_zimbra_url.zip/ - that has details of the url. Does that know what you need?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    huh? i want customers using the email to be able to look at the link they're about to click on.

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by dijichi2
    huh? i want customers using the email to be able to look at the link they're about to click on.
    Oh, I see. That wasn't quite clear to me from what you posted.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    unilogic is offline Senior Member
    Join Date
    Nov 2005
    Posts
    51
    Rep Power
    9

    Default

    Yea itís quite easy to forge a link. Its seems to be kind of ok in zimbra's case since it goes out to alexa for a thumbnail instead of the site its self, but still if a user was to click on the link it would open the hidden URL. There is no real good way implemented to show the user, like dijichi2 said in the status bar the actual URL, they're about to click on a nasty URL. Something I also think should be taken care of soon. If thereís not a bugzilla report on it. I'll make one soon.

    On the other subject of this thread of what its doing when the client does a mouse over a link. Here a capture of the HTTP packet when the client does HTTP get for the thumbnail from alexa. 192.168.10.2 is the client with the web UI open. 209.237.237.99 is pthumbnails.alexa.com, decem.unilogiclabs.com is my zimbra server. http://www.msn.com is the link that thumbnail is for.

    Code:
    Internet Protocol, Src: 192.168.10.2 (192.168.10.2), Dst: 209.237.237.99 (209.237.237.99)
    Transmission Control Protocol, Src Port: 3731 (3731), Dst Port: http (80)
    
    Hypertext Transfer Protocol
        GET /image_server.cgi?id=decem.unilogiclabs.com&url=http://www.msn.com/ HTTP/1.1\r\n
            Request Method: GET
            Request URI: /image_server.cgi?id=decem.unilogiclabs.com&url=http://www.msn.com/
            Request Version: HTTP/1.1
        Host: pthumbnails.alexa.com\r\n
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2\r\n
        Accept: image/png,*/*;q=0.5\r\n
        Accept-Language: en-us,en;q=0.5\r\n
        Accept-Encoding: gzip,deflate\r\n
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
        Keep-Alive: 300\r\n
        Connection: keep-alive\r\n
        \r\n
    So it does id your server to alexa but thatís all. My question is why is it necessary to id the zimba server to the alexa server. The link works fine without the id, ie.
    Code:
    http://pthumbnails.alexa.com/image_server.cgi?url=http://www.msn.com/
    I'd personally rather not have alexa knowing the hostname of my server every time a client views a thumbnail. Also to note once a client views a thumbnail, zimbra seems to cache it. Hope that helps.

    Ben

    Edit: Added Bug 7313 for the mouse hover URL in status bar problem, http://bugzilla.zimbra.com/show_bug.cgi?id=7313
    Last edited by unilogic; 04-23-2006 at 06:33 PM.

  7. #7
    rrsd is offline Intermediate Member
    Join Date
    Apr 2006
    Posts
    15
    Rep Power
    9

    Default

    Nice analysis - thanks!

    I'm curious what that request looks like if you're clicking on something other than the front page of a website, particularly in a case where the URL has session or related information.

  8. #8
    unilogic is offline Senior Member
    Join Date
    Nov 2005
    Posts
    51
    Rep Power
    9

    Default

    I'd take an educated guess that whatever the url is it just pastes it in to the url= portion of the alexa link, so it would pass on any information. I don't know what alexa's policy is on information and such, which may be something you want to look up.

  9. #9
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Quote Originally Posted by unilogic
    So it does id your server to alexa but thatís all. My question is why is it necessary to id the zimba server to the alexa server. The link works fine without the id, ie.
    Code:
    http://pthumbnails.alexa.com/image_server.cgi?url=http://www.msn.com/
    I'd personally rather not have alexa knowing the hostname of my server every time a client views a thumbnail. Also to note once a client views a thumbnail, zimbra seems to cache it. Hope that helps.
    The id is required by Alexa's TOS. It works without and if you spoof a bad id or something bogus, but that's against their TOS. All of this code is in the URL zimlet so if somebody wanted to they could modify their own version.

    The caching is done by the browser. We use a simple img include to fetch the thumbnail, which allows the browser to cache it.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  10. #10
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Quote Originally Posted by unilogic
    I'd take an educated guess that whatever the url is it just pastes it in to the url= portion of the alexa link, so it would pass on any information. I don't know what alexa's policy is on information and such, which may be something you want to look up.

    Correct. The entire URL is passed. This lets Alexa show a different thumbnail for different site areas if possible. So www.zimbra.com and www.zimbra.com/forums could get a different thumbnail. Maybe a better solution would be to strip anything after a ? or the first /.

    This way you only send the root URL and up to one level of path information.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •