Alexa hover and privacy concerns

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
rrsd
Posts: 15
Joined: Fri Sep 12, 2014 10:09 pm

Alexa hover and privacy concerns

Postby rrsd » Sun Apr 23, 2006 1:59 am

First off, our new zimbraserver rocks. Hands-down straight-up rocks. I've run everything from sendmail to exchange, and zimbra has them smoked. Thanks for the effort developing it, and double-thanks for showing the world how FOSS can be the foundation for a viable business model.
With regard to the URL hover, I've got some concerns about it. First off, Alexa/A9/whatever has a bit of a reputation problem, and while I'm neutral as far as opinion on this goes, it is something I take into account. It should also be noted that the blacklist we obtain from a trusted source for our squidGuard filtering proxy classifies alexa.com as "spyware."
More importantly, we are a school district, so confidentiality is a legal requirement as well as an ethical neccessity for us. It's something I take seriously.
What i'm concerned about is what data is leaking from clients when the hover is called up. What is going out? is it a "give me foo.com picture" or is it "give me foo.com/sessid?something_important_that_shouldnt_be_in_a_URL_but_is_anyway?" And if needed, how do I disable the URL hover from the admin console?
Cheers


dijichi2
Elite member
Elite member
Posts: 1133
Joined: Fri Sep 12, 2014 10:00 pm

Alexa hover and privacy concerns

Postby dijichi2 » Sun Apr 23, 2006 8:51 am

you can turn it off by disabling the zimlet:
zmzimletctl disable com_zimbra_url
i would like to be able to view the actual link behind the url as you can't see it in the browser status bar as you usually can. this is a real security risk as people can't see for instance phishing links.
phoenix
Ambassador
Ambassador
Posts: 26711
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Alexa hover and privacy concerns

Postby phoenix » Sun Apr 23, 2006 9:08 am

[quote user="dijichi2"]i would like to be able to view the actual link behind the url as you can't see it in the browser status bar as you usually can. this is a real security risk as people can't see for instance phishing links.[/QUOTE]

You could have a look at 'url.js' inside the zimlet file at this location /opt/zimbra/zimlets/com_zimbra_url.zip/ - that has details of the url. Does that know what you need?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
dijichi2
Elite member
Elite member
Posts: 1133
Joined: Fri Sep 12, 2014 10:00 pm

Alexa hover and privacy concerns

Postby dijichi2 » Sun Apr 23, 2006 10:43 am

huh? i want customers using the email to be able to look at the link they're about to click on.
phoenix
Ambassador
Ambassador
Posts: 26711
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Alexa hover and privacy concerns

Postby phoenix » Sun Apr 23, 2006 10:55 am

[quote user="dijichi2"]huh? i want customers using the email to be able to look at the link they're about to click on.[/QUOTE]

Oh, I see. That wasn't quite clear to me from what you posted.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
unilogic
Advanced member
Advanced member
Posts: 51
Joined: Fri Sep 12, 2014 10:01 pm

Alexa hover and privacy concerns

Postby unilogic » Sun Apr 23, 2006 8:15 pm

Yea itÂ’s quite easy to forge a link. Its seems to be kind of ok in zimbra's case since it goes out to alexa for a thumbnail instead of the site its self, but still if a user was to click on the link it would open the hidden URL. There is no real good way implemented to show the user, like dijichi2 said in the status bar the actual URL, they're about to click on a nasty URL. Something I also think should be taken care of soon. If thereÂ’s not a bugzilla report on it. I'll make one soon.
On the other subject of this thread of what its doing when the client does a mouse over a link. Here a capture of the HTTP packet when the client does HTTP get for the thumbnail from alexa. 192.168.10.2 is the client with the web UI open. 209.237.237.99 is pthumbnails.alexa.com, decem.unilogiclabs.com is my zimbra server. http://www.msn.com">http://www.msn.com">http://www.msn.com">http://www.msn.com is the link that thumbnail is for.


Internet Protocol, Src: 192.168.10.2 (192.168.10.2), Dst: 209.237.237.99 (209.237.237.99)

Transmission Control Protocol, Src Port: 3731 (3731), Dst Port: http (80)
Hypertext Transfer Protocol

GET /image_server.cgi?id=decem.unilogiclabs.com&url=http://www.msn.com">http://www.msn.com">http://www.msn.com">http://www.msn.com/ HTTP/1.1


Request Method: GET

Request URI: /image_server.cgi?id=decem.unilogiclabs.com&url=http://www.msn.com">http://www.msn.com">http://www.msn.com">http://www.msn.com/

Request Version: HTTP/1.1

Host: pthumbnails.alexa.com


User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2


Accept: image/png,*/*;q=0.5


Accept-Language: en-us,en;q=0.5


Accept-Encoding: gzip,deflate


Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7


Keep-Alive: 300


Connection: keep-alive






So it does id your server to alexa but thatÂ’s all. My question is why is it necessary to id the zimba server to the alexa server. The link works fine without the id, ie.
http://pthumbnails.alexa.com/image_server.cgi?url=http://www.msn.com">http://www.msn.com">http://www.msn.com">http://www.msn.com/


I'd personally rather not have alexa knowing the hostname of my server every time a client views a thumbnail. Also to note once a client views a thumbnail, zimbra seems to cache it. Hope that helps.
Ben
Edit: Added Bug 7313 for the mouse hover URL in status bar problem, http://bugzilla.zimbra.com/show_bug.cgi?id=7313
rrsd
Posts: 15
Joined: Fri Sep 12, 2014 10:09 pm

Alexa hover and privacy concerns

Postby rrsd » Sun Apr 23, 2006 8:37 pm

Nice analysis - thanks!
I'm curious what that request looks like if you're clicking on something other than the front page of a website, particularly in a case where the URL has session or related information.
unilogic
Advanced member
Advanced member
Posts: 51
Joined: Fri Sep 12, 2014 10:01 pm

Alexa hover and privacy concerns

Postby unilogic » Sun Apr 23, 2006 8:41 pm

I'd take an educated guess that whatever the url is it just pastes it in to the url= portion of the alexa link, so it would pass on any information. I don't know what alexa's policy is on information and such, which may be something you want to look up.
14319KevinH
Ambassador
Ambassador
Posts: 4558
Joined: Fri Sep 12, 2014 9:52 pm

Alexa hover and privacy concerns

Postby 14319KevinH » Sun Apr 23, 2006 8:51 pm

[quote user="unilogic"]So it does id your server to alexa but thatÂ’s all. My question is why is it necessary to id the zimba server to the alexa server. The link works fine without the id, ie.
http://pthumbnails.alexa.com/image_server.cgi?url=http://www.msn.com/
>

I'd personally rather not have alexa knowing the hostname of my server every time a client views a thumbnail. Also to note once a client views a thumbnail, zimbra seems to cache it. Hope that helps.[/QUOTE]
The id is required by Alexa's TOS. It works without and if you spoof a bad id or something bogus, but that's against their TOS. All of this code is in the URL zimlet so if somebody wanted to they could modify their own version.
The caching is done by the browser. We use a simple img include to fetch the thumbnail, which allows the browser to cache it.
14319KevinH
Ambassador
Ambassador
Posts: 4558
Joined: Fri Sep 12, 2014 9:52 pm

Alexa hover and privacy concerns

Postby 14319KevinH » Sun Apr 23, 2006 8:54 pm

[quote user="unilogic"]I'd take an educated guess that whatever the url is it just pastes it in to the url= portion of the alexa link, so it would pass on any information. I don't know what alexa's policy is on information and such, which may be something you want to look up.[/QUOTE]


Correct. The entire URL is passed. This lets Alexa show a different thumbnail for different site areas if possible. So http://www.zimbra.com and http://www.zimbra.com/forums could get a different thumbnail. Maybe a better solution would be to strip anything after a ? or the first /.
This way you only send the root URL and up to one level of path information.

Return to “Administrators”

Who is online

Users browsing this forum: Bing [Bot] and 16 guests