[Mimedefang] Minor web attachment privacy problem.
Jeffrey Goldberg
jeffrey at goldmark.org
Mon Jun 30 09:28:01 EDT 2003
On Mon, 30 Jun 2003, Steffen Kaiser wrote:
> > > Solution: Instead of taking the SHA hash of the document itself, take the
> > > SHA hash of the document concatenated with some secret (but constant)
> > > server key.
> >
> > This is a good solution. I'll implement it for 2.35.
>
> Hmm, I was thinking about this, but found no real gain by adding a
> constant key.
>
> a) How probable is it that "E" has never recieved or seen an URL with
> that constant key
I think you misunderstood. The file name will be
SHA(attachment + key)
not
SHA(attachment) + key
So there will be no way (short of a dictionary attack) to deduce the key
even where you legitimately know both URL and attachment.
> [...] _and_ has access to the web spool area?
Anyone who has non-web access to the web-spool area already knows the file
names. But they might have web-access to the spool area. Or have I
misunderstood what you are getting at?
> b) When you restart the server, the key is generated anew, I guess.
What I meant by constant key is that you (the MD admin) put it in your
config (or have your confing read a file which has mode 600). This is
similar to what you do with mailing list management systems to get
confirmation cookies.
> How about keeping the action_replace_with_url () function as it is now,
> but let the filter hook into the file generation process, like
> [...]
> my $fname = substr("" . rand, 2) . $ext;
> [...]
> link("$localPath/$mimedefangName", "/home/httpd/html/mail_parts/$fname")
> or return undef; # arrgh, in case of error let handle
> # replace_with_url() this?
>
> return $fname;
> }
>
> So, because MIMEDefang saves the file into a directory, which is _not_
> available through the webserver, you do not leak information, but you
> can avoid to cache the same document twice - just like now;
> because the "filename" in the public web space is a random one now,
> you do not leak information here as well.
[ ... lots of useful suggestions and examples snipped ...]
This will work as far as I can tell. It seems more complicated than my
suggestion, but has the advantage of providing a more general hook that
can be used for other purposes as well. While my proposal seems cleaner,
I'm not wedded to it. At least we know have a choice of ways to address
this problem.
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/
Relativism is the triumph of authority over truth, convention over justice
Hate spam? Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/
More information about the MIMEDefang
mailing list