[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Hyperlink in ContactInfo

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Hyperlink in ContactInfo
From: s7r <s7r@xxxxxxxxxx>
Date: Thu, 3 Jan 2019 17:55:51 +0200
Autocrypt: addr=s7r@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQENBE9BogQBCADazBiEe0PGTgeUJ/JU4BDvdE2ZFD+MUOgf3+n78F6mXTxcLgyiE/3E4rA5 Sy3NzVRjqjzyn/MyDJDbsRpSKT6uVT5thYNyfDNBNqYmqdVS8Gu+H90z78x1WJ+DxVawk4IM mi8jmKcwlz7hOGROsR0+NyWjyghlzNHVgiJkWIvp5AVDg4F6o2oCH/vBbgomu3Ho5r7fiRZg I0uxsMLIkRI8bwB3SlVi3n4a94ZI2R9rXD9KNWzW4OT5LnICW1d/cuktwVBQRxGE6KFtVDzI chjuDWFaT9p6qROqoBRbsGF/mLg/sb26dwRxb7CnxfCWJn10ZGWo8jG6MM/QKEcxSj0JABEB AAG0NHM3ckBza3ktaXAub3JnIChBbm9ueW1pdHkgbWF0dGVycyEpIDxzN3JAc2t5LWlwLm9y Zz6JATgEEwECACIFAk9BogQCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIN/pSyB JlsRbkQH/jfe6F9nbwwFBo2DuNJ+Ci2IpZEco1P6rWh2l3AzG0vOD82nYJ5uFIw+0v615tW8 WWNfeIsrbCRnmOAx8NGkGsk/j+SRJb41pQ79tyxdBg7txcbT9bAdcaImYoBBp+1bnyrAaROB 1wDq0jKX09ofKrrAUWOlddASpIBG5uKMLhHe1X14lmvgGHWDPHKrw4yzBN/nNfXYr+Ayjt9s NM6JETHIgqO6uvchiT20v2/SzD3FlysROkPeoFjGWUwAqH2r7RQyDLF6EoqkrcuwvjFXiOFE nFdNRbHQsKYXPhbk2JUiFQQcdLtJg6iaoRBnhATl4V6soP2EHYn3K1bz+eYL+AS5AQ0ET0Gi BAEIAMO7MGEfdMn72SQAK0m5rcEPj3mtSRRokMHl3YBNjFbj3O4QAwjpKBJ7RuPdF9B9IDAP a7mc+f33mpIgRnxKDwkjswPk74mMQRxe2wgv4AQ7yBICYYK99e6RYP0LC1PDIGXFPLjs0Teu QAxASFvNycC5JSfQUsAI3OTQjaGUaiUfavmJYkn9B6C2ktQgvM7qbxJvLP5X02tgp4G4gNiu 8ZA3aOUdX+8EQwERJZ8CuA/R6/2M2nEO3YRCsxaYSzob7nicjfoPvyvSYu3zXRFj+3uvDOK6 AGNILmftVUoRQ6/WsNaAQX42cDfSNYQ8uZ/zgTGatO3ArNb1uqWbMdbUA5sAEQEAAYkBHwQY AQIACQUCT0GiBAIbDAAKCRCDf6UsgSZbEZjSB/41TviTCxdiS4PLSDrQ3GOmQPpWZRk/O1tv 3y6T9p0XuC/oq6kKfToKuV2/Ok+589rtmrXhjzdk2otDKCRGejJFpVoU/vfR+jokArzpwyPa TWDAhMGmf5wmEAojsiOc9Zgj/CuS5nd/eLFi4QGtbLoDLrTrQSXB4qR0zJFoQfykVaERT2dm UV/D22opJc8jo3UBOBckgGi9jBi/2OvwEiFcZSl1u9Qi4+gbINOObQF5a0h9ReZCT1BUs5FV DSXBBYZTJJ2flnZH69Mb+9KxRMyqjhRzyGDUfY73SYlCpKX9buWMl0CCsDx+GrRVSxvQnA8b aSq1wlfKsJBimGtSAqf8
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 03 Jan 2019 10:56:16 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1546530964; bh=s3unrnsOGxARJICT+yP1gFimEaksjHU/Gx4Rk+wkU+M=; h=Subject:To:References:From:Date:In-Reply-To; b=TeW+qS2vQvQeCJhndg110AfUFqqxMiaYgl8p5qCHgYLTvhPiGPNt4xlWKXmqDaBdM EJ8InESqPrCSiS/7RvBOcPKcxZq+iKlrR3nlO5FlGOT4aesnADz0kNVZyOt0dGpEFy P6S5eS9Vw3VrCbtu45iNAWt3Dv+2wsr0ChmhXr4I=
In-reply-to: <71d5421d-a847-7b23-fe5e-0617439ea95e@schulz.com.de>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Openpgp: preference=signencrypt
References: <71d5421d-a847-7b23-fe5e-0617439ea95e@schulz.com.de>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0

Ilka Schulz wrote:
> Hi,
> 
> I wrote a little PHP-based contact page and put the link to the
> /ContactInfo/ of my relay's /torrc/. I added some HTML tags (/<a
> href=...> ... </a>/) to let Tor Metrics show the link as such; but, of
> course, the string is sanitized properly, so the /Contact/ field on Tor
> Metrics shows the literal HTML tags.
> 
> Is there any chance to show the hyperlink on Tor Metrics, so that
> visitors can directly click on it? The same would be interesting for
> clear text email addresses.
> 
> Regards,
> Ilka
> 

NACK of course HTML tags / javascript is sanitized otherwise anyone can
inject HTML or javascript code in our metrics webpage which is super
bad. One attacker can infect all visitors of our metrics webpage, or do
various other stuff we don't want.

There is no way to implement such a feature unless someone manually
reviews each relay's ContactInfo HTML/javascript tags in that string to
make sure there is nothing bad in it, and then keep an eye on it on
every descriptor refresh. This is if course out of the question, nobody
has the time to do it, it opens the door for mistakes and security risks
and it gives us absolutely no gains.

Of course there is a solution where metrics page will detect link format
like : http:// , https://, domain.tld, subdomain.domain.tld and show it
as hyperlink on the metrics webpage, but I recommend against this as
well as this way our metrics webpage can become the referrer for some
fishy websites attackers choose to put in relay's contact info.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] Onion v2 HSDir Support (ref: v3 prop224) [was: fishy fingerprint patterns]
Next by Author: Re: [tor-relays] Onion v2 HSDir Support (ref: v3 prop224) [was: fishy fingerprint patterns]
Previous by thread: Re: [tor-relays] Security issue
Next by thread: [tor-relays] openinternet.io: Tor Relay Configuration: 'MyFamily' missing and public munin graphs
Index(es):
- Author
- Thread