[Mimedefang] Minor web attachment privacy problem.

Jeffrey Goldberg jeffrey at goldmark.org
Mon Jun 30 09:28:01 EDT 2003 

On Mon, 30 Jun 2003, Steffen Kaiser wrote:

> > > Solution:  Instead of taking the SHA hash of the document itself, take the
> > > SHA hash of the document concatenated with some secret (but constant)
> > > server key.
> >
> > This is a good solution.  I'll implement it for 2.35.
>
> Hmm, I was thinking about this, but found no real gain by adding a
> constant key.
>
> a) How probable is it that "E" has never recieved or seen an URL with
> that constant key

I think you misunderstood.  The file name will be

   SHA(attachment + key)

not

   SHA(attachment) + key

So there will be no way (short of a dictionary attack) to deduce the key
even where you legitimately know both URL and attachment.

> [...]  _and_ has access to the web spool area?

Anyone who has non-web access to the web-spool area already knows the file
names.  But they might have web-access to the spool area.  Or have I
misunderstood what you are getting at?

> b) When you restart the server, the key is generated anew, I guess.

What I meant by constant key is that you (the MD admin) put it in your
config (or have your confing read a file which has mode 600).  This is
similar to what you do with mailing list management systems to get
confirmation cookies.

> How about keeping the action_replace_with_url () function as it is now,
> but let the filter hook into the file generation process, like

> [...]
> 	my $fname = substr("" . rand, 2) . $ext;
> [...]
> 	link("$localPath/$mimedefangName", "/home/httpd/html/mail_parts/$fname")
> 		or return undef;	# arrgh, in case of error let handle
> 					# replace_with_url() this?
>
> 	return $fname;
> }
>
> So, because MIMEDefang saves the file into a directory, which is _not_
> available through the webserver, you do not leak information, but you
> can avoid to cache the same document twice - just like now;
> because the "filename" in the public web space is a random one now,
> you do not leak information here as well.

[ ... lots of useful suggestions and examples snipped ...]

This will work as far as I can tell.  It seems more complicated than my
suggestion, but has the advantage of providing a more general hook that
can be used for other purposes as well.  While my proposal seems cleaner,
I'm not wedded to it.  At least we know have a choice of ways to address
this problem.

-j

-- 
Jeffrey Goldberg                            http://www.goldmark.org/jeff/
 Relativism is the triumph of authority over truth, convention over justice
 Hate spam?  Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/

More information about the MIMEDefang mailing list