Results 1 to 10 of 11

Thread: Alexa hover and privacy concerns

Hybrid View

  1. #1
    Join Date
    Apr 2006
    Posts
    15
    Rep Power
    9

    Default Alexa hover and privacy concerns

    First off, our new zimbraserver rocks. Hands-down straight-up rocks. I've run everything from sendmail to exchange, and zimbra has them smoked. Thanks for the effort developing it, and double-thanks for showing the world how FOSS can be the foundation for a viable business model.

    With regard to the URL hover, I've got some concerns about it. First off, Alexa/A9/whatever has a bit of a reputation problem, and while I'm neutral as far as opinion on this goes, it is something I take into account. It should also be noted that the blacklist we obtain from a trusted source for our squidGuard filtering proxy classifies alexa.com as "spyware."

    More importantly, we are a school district, so confidentiality is a legal requirement as well as an ethical neccessity for us. It's something I take seriously.

    What i'm concerned about is what data is leaking from clients when the hover is called up. What is going out? is it a "give me foo.com picture" or is it "give me foo.com/sessid?something_important_that_shouldnt_be_in_a_U RL_but_is_anyway?" And if needed, how do I disable the URL hover from the admin console?

    Cheers

  2. #2
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    you can turn it off by disabling the zimlet:

    zmzimletctl disable com_zimbra_url

    i would like to be able to view the actual link behind the url as you can't see it in the browser status bar as you usually can. this is a real security risk as people can't see for instance phishing links.

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by dijichi2
    i would like to be able to view the actual link behind the url as you can't see it in the browser status bar as you usually can. this is a real security risk as people can't see for instance phishing links.
    You could have a look at 'url.js' inside the zimlet file at this location /opt/zimbra/zimlets/com_zimbra_url.zip/ - that has details of the url. Does that know what you need?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    huh? i want customers using the email to be able to look at the link they're about to click on.

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by dijichi2
    huh? i want customers using the email to be able to look at the link they're about to click on.
    Oh, I see. That wasn't quite clear to me from what you posted.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Nov 2005
    Posts
    51
    Rep Power
    10

    Default

    Yea it’s quite easy to forge a link. Its seems to be kind of ok in zimbra's case since it goes out to alexa for a thumbnail instead of the site its self, but still if a user was to click on the link it would open the hidden URL. There is no real good way implemented to show the user, like dijichi2 said in the status bar the actual URL, they're about to click on a nasty URL. Something I also think should be taken care of soon. If there’s not a bugzilla report on it. I'll make one soon.

    On the other subject of this thread of what its doing when the client does a mouse over a link. Here a capture of the HTTP packet when the client does HTTP get for the thumbnail from alexa. 192.168.10.2 is the client with the web UI open. 209.237.237.99 is pthumbnails.alexa.com, decem.unilogiclabs.com is my zimbra server. http://www.msn.com is the link that thumbnail is for.

    Code:
    Internet Protocol, Src: 192.168.10.2 (192.168.10.2), Dst: 209.237.237.99 (209.237.237.99)
    Transmission Control Protocol, Src Port: 3731 (3731), Dst Port: http (80)
    
    Hypertext Transfer Protocol
        GET /image_server.cgi?id=decem.unilogiclabs.com&url=http://www.msn.com/ HTTP/1.1\r\n
            Request Method: GET
            Request URI: /image_server.cgi?id=decem.unilogiclabs.com&url=http://www.msn.com/
            Request Version: HTTP/1.1
        Host: pthumbnails.alexa.com\r\n
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2\r\n
        Accept: image/png,*/*;q=0.5\r\n
        Accept-Language: en-us,en;q=0.5\r\n
        Accept-Encoding: gzip,deflate\r\n
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
        Keep-Alive: 300\r\n
        Connection: keep-alive\r\n
        \r\n
    So it does id your server to alexa but that’s all. My question is why is it necessary to id the zimba server to the alexa server. The link works fine without the id, ie.
    Code:
    http://pthumbnails.alexa.com/image_server.cgi?url=http://www.msn.com/
    I'd personally rather not have alexa knowing the hostname of my server every time a client views a thumbnail. Also to note once a client views a thumbnail, zimbra seems to cache it. Hope that helps.

    Ben

    Edit: Added Bug 7313 for the mouse hover URL in status bar problem, http://bugzilla.zimbra.com/show_bug.cgi?id=7313
    Last edited by unilogic; 04-23-2006 at 07:33 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •