Ubuntu

productsearch server does not proxy image results

Reported by Melissa on 2012-09-26
This bug report is a duplicate of:  Bug #1055952: Direct data leaking to Amazon. Edit Remove
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
unity-lens-shopping (Ubuntu)
Undecided
Unassigned

Bug Description

The point of the productsearch.ubuntu.com server (according to the Shuttleworth blog post) is to proxy anonymously between the user and Amazon, and once HTTPS is in place that would certainly be accomplished. However, the returned search results refer directly to image files stored on Amazon's servers which the client fetches, meaning that Amazon (or 7digital, or perhaps some others I haven't spotted, depending on the search) has a very good idea what you searched for anyway, and since they are HTTP, so does everyone else - even after HTTPS goes into productsearch. These images cannot just simply be switched to HTTPS either as that causes a certificate mismatch error with cloudfront.net (or the connection gets reset with 7digital). (not that HTTPS images can't just be loaded to see what they are anyway, if they are sent over a plaintext response. But you get my drift. Sorry for editing this section repeatedly- trying to make this as clear as possible.)

Suggested workaround is for productsearch to also download and cache these images to its own storage, proxying for the user. They would learn the URL from an HTTPS response and load the image over HTTPS also.

Sample output: http://productsearch.ubuntu.com/v1/search?q=privacy

This is technically a security problem but I have chosen not to make this a private bug report because this issue is already being widely discussed (http://www.zyxa.net/2012/09/the-unity-amazon-search-in-ubuntu-1210.html) and in particular the lack of HTTPS throughout is already a completely public and acknowledged problem. However, there did not yet appear to be a bug report for this particular facet of the problem.

Melissa (abadidea) on 2012-09-26
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity-lens-shopping (Ubuntu):
status: New → Confirmed
Melissa (abadidea) on 2012-09-26
description: updated
Etienne Perot (etienneperot) wrote :

Duplicate of 1055952, I believe

Melissa (abadidea) wrote :

I swear I looked at every open bug for this package and did not see that one. Now I am red in the face.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers