| 2012-09-26 21:34:04 |
Melissa |
bug |
|
|
added bug |
| 2012-09-26 21:36:34 |
Melissa |
description |
The point of the productsearch.ubuntu.com server (according to the Shuttleworth blog post) is to proxy anonymously between the user and Amazon, and once HTTPS is in place that would certainly be accomplished. However, the returned search results refer directly to image files stored on Amazon's servers which the client fetches, meaning that Amazon (or 7digital, or perhaps some others I haven't spotted, depending on the search) has a very good idea what you searched for anyway, and since they are HTTP, so does everyone else - even after HTTPS goes into productsearch. These images cannot just simply be switched to HTTPS either as that causes a certificate mismatch error with cloudfront.net (or the connection gets reset with 7digital).
Suggested workaround is for productsearch to also download and cache these images to its own storage, proxying for the user.
Sample output: http://productsearch.ubuntu.com/v1/search?q=privacy
This is technically a security problem but I have chosen not to make this a private bug report because this issue is already being widely discussed (http://www.zyxa.net/2012/09/the-unity-amazon-search-in-ubuntu-1210.html) and in particular the lack of HTTPS throughout is already a completely public and acknowledged problem. However, there did not yet appear to be a bug report for this particular facet of the problem. |
The point of the productsearch.ubuntu.com server (according to the Shuttleworth blog post) is to proxy anonymously between the user and Amazon, and once HTTPS is in place that would certainly be accomplished. However, the returned search results refer directly to image files stored on Amazon's servers which the client fetches, meaning that Amazon (or 7digital, or perhaps some others I haven't spotted, depending on the search) has a very good idea what you searched for anyway, and since they are HTTP, so does everyone else - even after HTTPS goes into productsearch. These images cannot just simply be switched to HTTPS either as that causes a certificate mismatch error with cloudfront.net (or the connection gets reset with 7digital). (not that HTTPS images can't just be loaded to see what they are anyway. But you get my drift.)
Suggested workaround is for productsearch to also download and cache these images to its own storage, proxying for the user.
Sample output: http://productsearch.ubuntu.com/v1/search?q=privacy
This is technically a security problem but I have chosen not to make this a private bug report because this issue is already being widely discussed (http://www.zyxa.net/2012/09/the-unity-amazon-search-in-ubuntu-1210.html) and in particular the lack of HTTPS throughout is already a completely public and acknowledged problem. However, there did not yet appear to be a bug report for this particular facet of the problem. |
|
| 2012-09-26 22:05:44 |
Launchpad Janitor |
unity-lens-shopping (Ubuntu): status |
New |
Confirmed |
|
| 2012-09-26 22:05:48 |
Mario Vukelic |
bug |
|
|
added subscriber Mario Vukelic |
| 2012-09-26 23:08:26 |
Melissa |
description |
The point of the productsearch.ubuntu.com server (according to the Shuttleworth blog post) is to proxy anonymously between the user and Amazon, and once HTTPS is in place that would certainly be accomplished. However, the returned search results refer directly to image files stored on Amazon's servers which the client fetches, meaning that Amazon (or 7digital, or perhaps some others I haven't spotted, depending on the search) has a very good idea what you searched for anyway, and since they are HTTP, so does everyone else - even after HTTPS goes into productsearch. These images cannot just simply be switched to HTTPS either as that causes a certificate mismatch error with cloudfront.net (or the connection gets reset with 7digital). (not that HTTPS images can't just be loaded to see what they are anyway. But you get my drift.)
Suggested workaround is for productsearch to also download and cache these images to its own storage, proxying for the user.
Sample output: http://productsearch.ubuntu.com/v1/search?q=privacy
This is technically a security problem but I have chosen not to make this a private bug report because this issue is already being widely discussed (http://www.zyxa.net/2012/09/the-unity-amazon-search-in-ubuntu-1210.html) and in particular the lack of HTTPS throughout is already a completely public and acknowledged problem. However, there did not yet appear to be a bug report for this particular facet of the problem. |
The point of the productsearch.ubuntu.com server (according to the Shuttleworth blog post) is to proxy anonymously between the user and Amazon, and once HTTPS is in place that would certainly be accomplished. However, the returned search results refer directly to image files stored on Amazon's servers which the client fetches, meaning that Amazon (or 7digital, or perhaps some others I haven't spotted, depending on the search) has a very good idea what you searched for anyway, and since they are HTTP, so does everyone else - even after HTTPS goes into productsearch. These images cannot just simply be switched to HTTPS either as that causes a certificate mismatch error with cloudfront.net (or the connection gets reset with 7digital). (not that HTTPS images can't just be loaded to see what they are anyway, if they are sent over a plaintext response. But you get my drift. Sorry for editing this section repeatedly- trying to make this as clear as possible.)
Suggested workaround is for productsearch to also download and cache these images to its own storage, proxying for the user. They would learn the URL from an HTTPS response and load the image over HTTPS also.
Sample output: http://productsearch.ubuntu.com/v1/search?q=privacy
This is technically a security problem but I have chosen not to make this a private bug report because this issue is already being widely discussed (http://www.zyxa.net/2012/09/the-unity-amazon-search-in-ubuntu-1210.html) and in particular the lack of HTTPS throughout is already a completely public and acknowledged problem. However, there did not yet appear to be a bug report for this particular facet of the problem. |
|
| 2012-09-27 04:39:15 |
Melissa |
marked as duplicate |
|
1055952 |
|
