[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: When the anti-spoof message pops up
From: Shantanu Tushar Jha <jhahoneyk () gmail ! com>
Date: 2011-11-28 5:12:43
Message-ID: CAKU6GqHkzKHvrZzGdz_C6QsYOkVQ-B4=QqcD=wjqcy6XTE+Xug () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
I'm curious, so if an app can disable the spoof dialog anyway, doesn't that
make it useless, as someone having actual malicious intent can just disable
it too?
Regards,
Shantanu Tushar (UTC +0530)
http://www.shantanutushar.com
On Sun, Nov 27, 2011 at 1:33 AM, Dawit A <adawit@kde.org> wrote:
> I have added a new KIO meta-data to disable username spoofing change. See
>
>
> https://projects.kde.org/projects/kde/kdelibs/repository/revisions/bab4ee944b2d045e13cb73a5e8c95fe1d62d49d1
>
> You can now disable the spoofing check by doing something like the
> following:
>
> KIO::TransferJob* job = KIO::get(url,....);
> job->addMetaData(QLatin1String(" no-spoof-check-prompt"),
> QLatin1String("TRUE"));
>
> On Wed, Nov 23, 2011 at 8:57 PM, Shantanu Tushar Jha
> <jhahoneyk@gmail.com> wrote:
> > Hi,
> >
> > On Wed, Nov 23, 2011 at 11:22 PM, Dawit A <adawit@kde.org> wrote:
> > >
> > > On Tue, Nov 22, 2011 at 11:20 PM, Shantanu Tushar Jha
> > > <jhahoneyk@gmail.com> wrote:
> > > > On Tue, Nov 22, 2011 at 11:26 PM, Dawit A <adawit@kde.org> wrote:
> > > > >
> > > > > On Tue, Nov 22, 2011 at 11:09 AM, Shantanu Tushar Jha
> > > > > <jhahoneyk@gmail.com> wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I'm pretty sure everyone will have seen the message `You are about
> to
> > > > > > log in
> > > > > > to the site "api.opendesktop.org" with the username "user", but
> the
> > > > > > website
> > > > > > does not require authentication. This may be an attempt to trick
> > > > > > you.'
> > > > > > when
> > > > > > you tried to use anything that uses Attica (Get hot new stuff,
> social
> > > > > > desktop settings, gluon and so on).
> > > > > >
> > > > > > Seeing the dialog once is ok, but it gets really irritating when
> 4-5
> > > > > > of
> > > > > > these pop up simultaneously because the app might be performing
> more
> > > > > > than
> > > > > > one kio_http requests (which is the case in almost every social
> > > > > > component in
> > > > > > gluon).
> > > > >
> > > > > So long as the request URL does not change, you get one single
> prompt.
> > > > > If you are sending multiple requests to different sites using the
> same
> > > > > URL format, then you are going to be prompted multiple times.
> > > >
> > > > Well in gluon, multiple requests ( http://paste.kde.org/149786/ ) are
> > > > sent
> > > > to the same site (api.opendesktop.org), and this happens
> > > > http://wstaw.org/m/2011/11/23/plasma-desktopwp1921.png . Can this be
> > > > fixed
> > > > so the dialog only appears once per server?
> > > > >
> > > > > > So, the question is, what to do to prevent these from popping up
> > > > > > unnecessarily? Attica is performing a legitimate login to the
> > > > > > opendesktop
> > > > > > website [1], so it shouldn't be reported as a problem.
> > > > > >
> > > > > > [1] of the form
> > > > > > https://username@api.opendesktop.org/v1/content/something
> > > > >
> > > > > Can you please explain how "Attica is performing a legitimate login
> to
> > > > > opendesktop website" by including a 'username@' into a request URL
> > > > > that does not require HTTP authentication ? You are getting the
> > > > > spoofing prompt because the request URL contains a username and the
> > > > > server does not respond with a 401/407 response code or a
> redirection.
> > > > > IOW, the site does not really require authentication at all. Hence,
> > > > > Attica or any other client code has no business adding the username
> to
> > > > > the request URL. So the question remains why exactly is Attica adding
> > > > > a username@ to the request URL ?
> > > >
> > > > Hmm thanks for the insight, I tried manually browsing to the
> > > > "authentication
> > > > required to access" URLs as per
> > > >
> > > >
> http://www.freedesktop.org/wiki/Specifications/open-collaboration-services#search
> and
> > > > looks like the server is at fault (i.e. it doesn't ask for auth). Will
> > > > poke
> > > > the guys managing it soon. However, we still should show the message
> > > > only
> > > > once per site, what do you think?
> > >
> > > Yes, it should. Unfortunately the problem with multiple dialogs on
> > > multiple requests at once is not limited to the spoofing check. You
> > > get the same multiple dialog boxes for SSL checks as well for example.
> > >
> > > It is a known KIO limitation that is caused by the fact that each
> > > ioslave is a separate processes and as such the message dialog boxes
> > > shown are done from separate processes. It is not an easy fix since it
> > > would require some external process like a kded module and
> > > communication over dbus to keep track of the message prompt requests
> > > from multiple processes. Much like how it is currently done for the
> > > password dialogs.
> > >
> > > Anyhow, the easiest way to address this issue right now is to simply
> > > provide a meta-data that would disable the spoofing check ; so it will
> > > be up to you to disable it from your own client application. It will
> > > be enabled by default of course.
> >
> > Ah ok, how do I do that?
>
[Attachment #5 (text/html)]
Hi,<div><br></div><div>I'm curious, so if an app can disable the spoof dialog \
anyway, doesn't that make it useless, as someone having actual malicious intent \
can just disable it too?</div><div><br></div><div>Regards,</div> \
<div><div><br></div>Shantanu Tushar (UTC +0530)<br><a \
href="http://www.shantanutushar.com" \
target="_blank">http://www.shantanutushar.com</a><br> <br><br><div \
class="gmail_quote">On Sun, Nov 27, 2011 at 1:33 AM, Dawit A <span dir="ltr"><<a \
href="mailto:adawit@kde.org">adawit@kde.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex;"> I have added a new KIO meta-data to disable username \
spoofing change. See<br> <br>
<a href="https://projects.kde.org/projects/kde/kdelibs/repository/revisions/bab4ee944b2d045e13cb73a5e8c95fe1d62d49d1" \
target="_blank">https://projects.kde.org/projects/kde/kdelibs/repository/revisions/bab4ee944b2d045e13cb73a5e8c95fe1d62d49d1</a><br>
<br>
You can now disable the spoofing check by doing something like the following:<br>
<br>
KIO::TransferJob* job = KIO::get(url,....);<br>
job->addMetaData(QLatin1String(" no-spoof-check-prompt"),<br>
QLatin1String("TRUE"));<br>
<br>
On Wed, Nov 23, 2011 at 8:57 PM, Shantanu Tushar Jha<br>
<div class="HOEnZb"><div class="h5"><<a \
href="mailto:jhahoneyk@gmail.com">jhahoneyk@gmail.com</a>> wrote:<br> > Hi,<br>
><br>
> On Wed, Nov 23, 2011 at 11:22 PM, Dawit A <<a \
href="mailto:adawit@kde.org">adawit@kde.org</a>> wrote:<br> >><br>
>> On Tue, Nov 22, 2011 at 11:20 PM, Shantanu Tushar Jha<br>
>> <<a href="mailto:jhahoneyk@gmail.com">jhahoneyk@gmail.com</a>> \
wrote:<br> >> > On Tue, Nov 22, 2011 at 11:26 PM, Dawit A <<a \
href="mailto:adawit@kde.org">adawit@kde.org</a>> wrote:<br> >> >><br>
>> >> On Tue, Nov 22, 2011 at 11:09 AM, Shantanu Tushar Jha<br>
>> >> <<a \
href="mailto:jhahoneyk@gmail.com">jhahoneyk@gmail.com</a>> wrote:<br> >> \
>> > Hi,<br> >> >> ><br>
>> >> > I'm pretty sure everyone will have seen the message `You \
are about to<br> >> >> > log in<br>
>> >> > to the site "<a href="http://api.opendesktop.org" \
target="_blank">api.opendesktop.org</a>" with the username "user", but \
the<br> >> >> > website<br>
>> >> > does not require authentication. This may be an attempt to \
trick<br> >> >> > you.'<br>
>> >> > when<br>
>> >> > you tried to use anything that uses Attica (Get hot new stuff, \
social<br> >> >> > desktop settings, gluon and so on).<br>
>> >> ><br>
>> >> > Seeing the dialog once is ok, but it gets really irritating \
when 4-5<br> >> >> > of<br>
>> >> > these pop up simultaneously because the app might be \
performing more<br> >> >> > than<br>
>> >> > one kio_http requests (which is the case in almost every \
social<br> >> >> > component in<br>
>> >> > gluon).<br>
>> >><br>
>> >> So long as the request URL does not change, you get one single \
prompt.<br> >> >> If you are sending multiple requests to different sites \
using the same<br> >> >> URL format, then you are going to be prompted \
multiple times.<br> >> ><br>
>> > Well in gluon, multiple requests ( <a \
href="http://paste.kde.org/149786/" target="_blank">http://paste.kde.org/149786/</a> \
) are<br> >> > sent<br>
>> > to the same site (<a href="http://api.opendesktop.org" \
target="_blank">api.opendesktop.org</a>), and this happens<br> >> > <a \
href="http://wstaw.org/m/2011/11/23/plasma-desktopwp1921.png" \
target="_blank">http://wstaw.org/m/2011/11/23/plasma-desktopwp1921.png</a> . Can this \
be<br> >> > fixed<br>
>> > so the dialog only appears once per server?<br>
>> >><br>
>> >> > So, the question is, what to do to prevent these from popping \
up<br> >> >> > unnecessarily? Attica is performing a legitimate login \
to the<br> >> >> > opendesktop<br>
>> >> > website [1], so it shouldn't be reported as a problem.<br>
>> >> ><br>
>> >> > [1] of the form<br>
>> >> > <a \
href="https://username@api.opendesktop.org/v1/content/something" \
target="_blank">https://username@api.opendesktop.org/v1/content/something</a><br> \
>> >><br> >> >> Can you please explain how "Attica is \
performing a legitimate login to<br> >> >> opendesktop website" by \
including a 'username@' into a request URL<br> >> >> that does \
not require HTTP authentication ? You are getting the<br> >> >> spoofing \
prompt because the request URL contains a username and the<br> >> >> \
server does not respond with a 401/407 response code or a redirection.<br> >> \
>> IOW, the site does not really require authentication at all. Hence,<br> \
>> >> Attica or any other client code has no business adding the username \
to<br> >> >> the request URL. So the question remains why exactly is \
Attica adding<br> >> >> a username@ to the request URL ?<br>
>> ><br>
>> > Hmm thanks for the insight, I tried manually browsing to the<br>
>> > "authentication<br>
>> > required to access" URLs as per<br>
>> ><br>
>> > <a href="http://www.freedesktop.org/wiki/Specifications/open-collaboration-services#search" \
target="_blank">http://www.freedesktop.org/wiki/Specifications/open-collaboration-services#search</a> \
and<br> >> > looks like the server is at fault (i.e. it doesn't ask for \
auth). Will<br> >> > poke<br>
>> > the guys managing it soon. However, we still should show the \
message<br> >> > only<br>
>> > once per site, what do you think?<br>
>><br>
>> Yes, it should. Unfortunately the problem with multiple dialogs on<br>
>> multiple requests at once is not limited to the spoofing check. You<br>
>> get the same multiple dialog boxes for SSL checks as well for example.<br>
>><br>
>> It is a known KIO limitation that is caused by the fact that each<br>
>> ioslave is a separate processes and as such the message dialog boxes<br>
>> shown are done from separate processes. It is not an easy fix since it<br>
>> would require some external process like a kded module and<br>
>> communication over dbus to keep track of the message prompt requests<br>
>> from multiple processes. Much like how it is currently done for the<br>
>> password dialogs.<br>
>><br>
>> Anyhow, the easiest way to address this issue right now is to simply<br>
>> provide a meta-data that would disable the spoofing check ; so it will<br>
>> be up to you to disable it from your own client application. It will<br>
>> be enabled by default of course.<br>
><br>
> Ah ok, how do I do that?<br>
</div></div></blockquote></div><br></div>
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic