"A. L." <alobiuc@xxxxxxxxx> wrote: > Below is a sample logout URL, where I replaced alphanumeric characters > in alpahumeric only character sequences with "A" and numeric characters > in numeric only character sequences with "N". For some clarity, I > present two versions of sampled URLs, one having the char sequences > contracted to "Ax" and "Ny" forms, where x and y are the number of times > a (not certain) alphanumeric character and numeric character > respectively occur. > > http://us.ard.yahoo.com/SIG=AAAAAAAAA/M=NNNNNN.NNNNNNN.NNNNNNN.NNNNNNN/D=mail/S=NNNNNNNNN:HEADR/Y=YAHOO/EXP=NNNNNNNNNN/A=NNNNNNN/R=N/SIG=AAAAAAAAA/*http://login.yahoo.com/config/login?logout=1&.done=http://mail.yahoo.com&.src=ym&.intl=us > > http://us.ard.yahoo.com/SIG=A9/M=N6.N7.N7.N7/D=mail/S=N9:HEADR/Y=YAHOO/EXP=N10/A=N7/R=N/SIG=A9/*http://login.yahoo.com/config/login?logout=1&.done=http://mail.yahoo.com&.src=ym&.intl=us > > The first url string might break the page layout, sorry if it does. > > However, the browser should reach the following url: > > http://login.yahoo.com/config/login?logout=1&.done=http://mail.yahoo.com&.src=ym&.intl=us Can you please check if it still works if the request to us.ard.yahoo.com is intercepted and redirected to the URL above? If I open it, I get a message that I "signed out of the Yahoo! network", however I don't have an Yahoo account and was never signed in, therefore I can't verify if skipping us.ard.yahoo.com would be safe. Yahoo doesn't bother to validate the URL parameters (try http://login.yahoo.com/config/login?logout=1&.done=http://tor.eff.org&.src=ym&.intl=us and use the "Return to Yahoo! Mail" link) so maybe they don't verify whether or not you're really signed out either. Also note, and this is Tor related again, that every time you run into a Privoxy fast-redirect problem it means that your request was unencrypted and could be sniffed or altered by the Tor exit node or systems between the exit node and the destination. You may want to investigate whether or not Yahoo allows you to accidentally send your Email unencrypted (like Google does) and if the session cookies are transferred encrypted. > Indeed, maybe I should've posted at the Privoxy project lists but I > thought it concerns all the users of the bundle alike (maybe this > setting for other Privoxy uses is useful, but in the particular case of > Yahoo mail users it doesn't). While this problem affects all Yahoo-mail-using Tor bundle users it also affects Yahoo-mail-using Privoxy users that don't use Tor. If it gets fixed upstream both groups profit. I agree that the problem should be fixed, I just don't think that blindly disabling all yahoo redirects is a solution. With Privoxy 3.0.6 you can add: {+redirect{http://login.yahoo.com/config/login?logout=1&.done=http://mail.yahoo.com&.src=ym&.intl=us} \ } .yahoo./.*http://login.yahoo.com/config/login.*http://mail.yahoo.com {-fast-redirects \ } .yahoo.com/.*done=http in your user.action file, with Privoxy 3.0.7 (unreleased) you can even replace the static redirect with: +redirect{s@^.*\*(http://login\.yahoo\.com/.*)$@$1@i} to make sure it works for other "done" URLs as well. If someone can confirm that this is safe, we (the Privoxy team) will ship it with Privoxy 3.0.7's default configuration. Fabian
Attachment:
signature.asc
Description: PGP signature