"A. L." <alobiuc@xxxxxxxxx> wrote:
> Below is a sample logout URL, where I replaced alphanumeric characters
> in alpahumeric only character sequences with "A" and numeric characters
> in numeric only character sequences with "N". For some clarity, I
> present two versions of sampled URLs, one having the char sequences
> contracted to "Ax" and "Ny" forms, where x and y are the number of times
> a (not certain) alphanumeric character and numeric character
> respectively occur.
>
> http://us.ard.yahoo.com/SIG=AAAAAAAAA/M=NNNNNN.NNNNNNN.NNNNNNN.NNNNNNN/D=mail/S=NNNNNNNNN:HEADR/Y=YAHOO/EXP=NNNNNNNNNN/A=NNNNNNN/R=N/SIG=AAAAAAAAA/*http://login.yahoo.com/config/login?logout=1&.done=http://mail.yahoo.com&.src=ym&.intl=us
>
> http://us.ard.yahoo.com/SIG=A9/M=N6.N7.N7.N7/D=mail/S=N9:HEADR/Y=YAHOO/EXP=N10/A=N7/R=N/SIG=A9/*http://login.yahoo.com/config/login?logout=1&.done=http://mail.yahoo.com&.src=ym&.intl=us
>
> The first url string might break the page layout, sorry if it does.
>
> However, the browser should reach the following url:
>
> http://login.yahoo.com/config/login?logout=1&.done=http://mail.yahoo.com&.src=ym&.intl=us
Can you please check if it still works if the request to
us.ard.yahoo.com is intercepted and redirected to the URL
above?
If I open it, I get a message that I "signed out of the
Yahoo! network", however I don't have an Yahoo account and
was never signed in, therefore I can't verify if skipping
us.ard.yahoo.com would be safe.
Yahoo doesn't bother to validate the URL parameters
(try
http://login.yahoo.com/config/login?logout=1&.done=http://tor.eff.org&.src=ym&.intl=us
and use the "Return to Yahoo! Mail" link) so maybe they
don't verify whether or not you're really signed out either.
Also note, and this is Tor related again, that every time
you run into a Privoxy fast-redirect problem it means that
your request was unencrypted and could be sniffed or altered
by the Tor exit node or systems between the exit node and
the destination.
You may want to investigate whether or not Yahoo allows
you to accidentally send your Email unencrypted (like Google does)
and if the session cookies are transferred encrypted.
> Indeed, maybe I should've posted at the Privoxy project lists but I
> thought it concerns all the users of the bundle alike (maybe this
> setting for other Privoxy uses is useful, but in the particular case of
> Yahoo mail users it doesn't).
While this problem affects all Yahoo-mail-using Tor bundle
users it also affects Yahoo-mail-using Privoxy users that
don't use Tor. If it gets fixed upstream both groups profit.
I agree that the problem should be fixed, I just don't think that
blindly disabling all yahoo redirects is a solution.
With Privoxy 3.0.6 you can add:
{+redirect{http://login.yahoo.com/config/login?logout=1&.done=http://mail.yahoo.com&.src=ym&.intl=us} \
}
.yahoo./.*http://login.yahoo.com/config/login.*http://mail.yahoo.com
{-fast-redirects \
}
.yahoo.com/.*done=http
in your user.action file, with Privoxy 3.0.7 (unreleased)
you can even replace the static redirect with:
+redirect{s@^.*\*(http://login\.yahoo\.com/.*)$@$1@i}
to make sure it works for other "done" URLs as well.
If someone can confirm that this is safe, we (the Privoxy team)
will ship it with Privoxy 3.0.7's default configuration.
Fabian
Attachment:
signature.asc
Description: PGP signature