[Phpmyadmin-devel] Redirecting external links
Hi all when going to other page, browsers sends Referer header to the next server. This could obviously leak some information from the original website. Given that we might include in URL possibly sensitive information (eg. SQL query), I've added redirector (url.php) inside phpMyAdmin, what hides all the parameter and all what the next site can see is <PmaAbsoluteUri>/url.php?url=<URL where you go>. On the other side, user might want to hide <PmaAbsoluteUri> as well. This can be only achieved by using some external redirector, for example we could place one at phpmyadmin.net. Any opinions about that? PS: The referrer should not be sent when original site is using HTTPS, quoting RFC:
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
-- Michal Čihař | http://cihar.com | http://blog.cihar.com
Hi all, 2011/1/31 Michal Čihař <michal@cihar.com>:
Hi all
when going to other page, browsers sends Referer header to the next server. This could obviously leak some information from the original website. Given that we might include in URL possibly sensitive information (eg. SQL query), I've added redirector (url.php) inside phpMyAdmin, what hides all the parameter and all what the next site can see is <PmaAbsoluteUri>/url.php?url=<URL where you go>.
On the other side, user might want to hide <PmaAbsoluteUri> as well. This can be only achieved by using some external redirector, for example we could place one at phpmyadmin.net. Any opinions about that?
Would it be default behaviour to redirect through phpmyadmin.net, or is at an option? What if phpmyadmin.net is unavailable (down, or not reachable by the network where a local version of pma is installed), will links in PMA not work? If an external redirector is used, isn't the Referer sent with the HTTP request header, traveling the internet in cleartext?
PS: The referrer should not be sent when original site is using HTTPS, quoting RFC:
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
-- Michal Čihař | http://cihar.com | http://blog.cihar.com
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
-- Groetjes, Dieter Adriaenssens
Hi Dne Mon, 31 Jan 2011 15:51:59 +0100 Dieter Adriaenssens <dieter.adriaenssens@gmail.com> napsal(a):
Would it be default behaviour to redirect through phpmyadmin.net, or is at an option?
Probably as an option (enabled by default if phpMyAdmin is not using SSL).
What if phpmyadmin.net is unavailable (down, or not reachable by the network where a local version of pma is installed), will links in PMA not work?
Exactly this is a problem I see as well.
If an external redirector is used, isn't the Referer sent with the HTTP request header, traveling the internet in cleartext?
Yes. Anyway currently almost all outgoing links are HTTP, so the information does travel unencrypted as well. The advantage would be that it is not available to others as easily as now (referer is stored in web server logs, processed by statistic tools such as Google Analytics and so on). -- Michal Čihař | http://cihar.com | http://blog.cihar.com
Hi, 2011/1/31 Michal Čihař <michal@cihar.com>:
Hi
Dne Mon, 31 Jan 2011 15:51:59 +0100 Dieter Adriaenssens <dieter.adriaenssens@gmail.com> napsal(a):
Would it be default behaviour to redirect through phpmyadmin.net, or is at an option?
Probably as an option (enabled by default if phpMyAdmin is not using SSL).
What if phpmyadmin.net is unavailable (down, or not reachable by the network where a local version of pma is installed), will links in PMA not work?
Exactly this is a problem I see as well.
If an external redirector is used, isn't the Referer sent with the HTTP request header, traveling the internet in cleartext?
Yes. Anyway currently almost all outgoing links are HTTP, so the information does travel unencrypted as well. The advantage would be that it is not available to others as easily as now (referer is stored in web server logs, processed by statistic tools such as Google Analytics and so on).
I just don't like the idea that for using my local version of PMA I would need an external server to be available. If I'm not mistaken, every click would be redirected through the external site? If there is a slow connection with the external redirector, it will slow down using your local version of PMA. This causes a lot of (unencrypted) traffic going to the external server and back, while without the external redirector, only the outgoing links might contain sensitive info that leaves your network. (This of course doesn't apply when you access PMA on a remote website, then everything is sent over the internet anyway) And about Google Analytics, it only applies if you installed it on your site (which is not trivial/'out of the box'), and it gets the Referer immediately, not by analysing the web server logs (but you where refering to other tools, I guess ;) ) I'm just wondering if using the redirector-thing is not introducing more problems than it solves? Wouldn't it be a better idea to keep the url clean? I realise this is not always easy to do, and probably near impossible when sessions are not allowed on a web browsing client. Kind regards, Dieter
-- Michal Čihař | http://cihar.com | http://blog.cihar.com
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
-- Groetjes, Dieter Adriaenssens
Hi Dne Mon, 31 Jan 2011 16:23:03 +0100 Dieter Adriaenssens <dieter.adriaenssens@gmail.com> napsal(a):
I just don't like the idea that for using my local version of PMA I would need an external server to be available. If I'm not mistaken, every click would be redirected through the external site? If there is a slow connection with the external redirector, it will slow down using your local version of PMA.
I'm talking only about external links, not links inside phpMyAdmin. So it usually means (but is not limited to) links to documentation.
This causes a lot of (unencrypted) traffic going to the external server and back, while without the external redirector, only the outgoing links might contain sensitive info that leaves your network. (This of course doesn't apply when you access PMA on a remote website, then everything is sent over the internet anyway)
And about Google Analytics, it only applies if you installed it on your site (which is not trivial/'out of the box'), and it gets the Referer immediately, not by analysing the web server logs (but you where refering to other tools, I guess ;) )
Only if it is installed on external site. For example MySQL website uses SiteCatalyst which also does collect such data.
I'm just wondering if using the redirector-thing is not introducing more problems than it solves? Wouldn't it be a better idea to keep the url clean? I realise this is not always easy to do, and probably near impossible when sessions are not allowed on a web browsing client.
The url is already cleaned up by redirector inside phpMyAdmin. The only think which leaks right now is URL of the installation. (Talking about current git). -- Michal Čihař | http://cihar.com | http://blog.cihar.com
2011/1/31 Michal Čihař <michal@cihar.com>:
Hi
Dne Mon, 31 Jan 2011 16:23:03 +0100 Dieter Adriaenssens <dieter.adriaenssens@gmail.com> napsal(a):
I just don't like the idea that for using my local version of PMA I would need an external server to be available. If I'm not mistaken, every click would be redirected through the external site? If there is a slow connection with the external redirector, it will slow down using your local version of PMA.
I'm talking only about external links, not links inside phpMyAdmin. So it usually means (but is not limited to) links to documentation.
Ok, I got that wrong, thanks for clarifying.
This causes a lot of (unencrypted) traffic going to the external server and back, while without the external redirector, only the outgoing links might contain sensitive info that leaves your network. (This of course doesn't apply when you access PMA on a remote website, then everything is sent over the internet anyway)
And about Google Analytics, it only applies if you installed it on your site (which is not trivial/'out of the box'), and it gets the Referer immediately, not by analysing the web server logs (but you where refering to other tools, I guess ;) )
Only if it is installed on external site. For example MySQL website uses SiteCatalyst which also does collect such data.
I'm just wondering if using the redirector-thing is not introducing more problems than it solves? Wouldn't it be a better idea to keep the url clean? I realise this is not always easy to do, and probably near impossible when sessions are not allowed on a web browsing client.
The url is already cleaned up by redirector inside phpMyAdmin. The only think which leaks right now is URL of the installation. (Talking about current git).
The question that remains is, what happens to the web server logs of the phpmyadmin.net website? If it is hosted by sf.net, we (PMA team/community/users) don't have control over it, so it can still be analysed. Kind regards, Dieter
-- Michal Čihař | http://cihar.com | http://blog.cihar.com
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
-- Groetjes, Dieter Adriaenssens
Michal Čihař a écrit :
Hi all
when going to other page, browsers sends Referer header to the next server. This could obviously leak some information from the original website. Given that we might include in URL possibly sensitive information (eg. SQL query), I've added redirector (url.php) inside phpMyAdmin, what hides all the parameter and all what the next site can see is <PmaAbsoluteUri>/url.php?url=<URL where you go>.
On the other side, user might want to hide <PmaAbsoluteUri> as well. This can be only achieved by using some external redirector, for example we could place one at phpmyadmin.net. Any opinions about that?
I'm not sure that this site (hosted on SourceForge.net) can be used for this purpose. How about generating these redirections via js? I have seen this somewhere. -- Marc Delisle http://infomarc.info
Hi Dne Mon, 31 Jan 2011 10:04:15 -0500 Marc Delisle <marc@infomarc.info> napsal(a):
Michal Čihař a écrit :
On the other side, user might want to hide <PmaAbsoluteUri> as well. This can be only achieved by using some external redirector, for example we could place one at phpmyadmin.net. Any opinions about that?
I'm not sure that this site (hosted on SourceForge.net) can be used for this purpose.
I don't see anything what would prohibit such use.
How about generating these redirections via js? I have seen this somewhere.
Yes, you can change links to go through redirect service using js, but you still need the redirection itself outsite. I don't think you can prevent sending referrer using js. -- Michal Čihař | http://cihar.com | http://blog.cihar.com
Hi, On 1/31/2011 9:34 AM, Michal Čihař wrote:
Hi all
when going to other page, browsers sends Referer header to the next server. This could obviously leak some information from the original website. Given that we might include in URL possibly sensitive information (eg. SQL query), I've added redirector (url.php) inside phpMyAdmin, what hides all the parameter and all what the next site can see is<PmaAbsoluteUri>/url.php?url=<URL where you go>.
Yes, this seems good.
On the other side, user might want to hide<PmaAbsoluteUri> as well. This can be only achieved by using some external redirector, for example we could place one at phpmyadmin.net. Any opinions about that?
I think it's not worth the hassle. While I do understand that some users may want to hide their URL as an additional layer of security, there are some very good questions being asked about what happens if the redirector is down, if it can handle/is permitted to handle the amount of traffic we could potentially generate, and most importantly about the likelihood of the redirector itself collecting the referrer information. Not to mention the question of whether it's phpMyAdmin's responsibility to obscure this in the first place (for the truly paranoid, there are ways to accomplish this across an entire system, rather than a single application). I vote no, for what that's worth. On 1/31/2011 10:04 AM, Marc Delisle wrote:
How about generating these redirections via js? I have seen this somewhere.
Perhaps you're referring to the use of an iframe + javascript such as is described at http://www.knowlegezone.com/documents/75/Hide-referer-IE-and-Firefox/
Hi After reading the discussion, I don't think we should introduce any such service. I was originally also against it, but wanted to hear other opinions as well before deciding. And there was none opinion in favor of such thing. Redirect service would introduce additional possible breakage, would still allow leak of the referrer (though in much limited scale - only to single site, but unencrypted) and would not bring any major benefits. -- Michal Čihař | http://cihar.com | http://blog.cihar.com
participants (4)
-
Dieter Adriaenssens -
Isaac Bennetch -
Marc Delisle -
Michal Čihař