Difference between revisions of "Clickable Links"

From Market Ruler Help
Jump to: navigation, search
m
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Clickable Links and their security implications =
+
=== Security Implications ===
 
 
==== Security ====
 
  
 
Despite the fact that all of your passwords are encrypted on your
 
Despite the fact that all of your passwords are encrypted on your
Line 7: Line 5:
 
others to get the URL. Whenever you link from one web site to another,
 
others to get the URL. Whenever you link from one web site to another,
 
a [http://wiki.marketruler.com/Referrer?_cr=web|pw.ex.to|clickable-links Referrer] is passed to the next web site. <br/>
 
a [http://wiki.marketruler.com/Referrer?_cr=web|pw.ex.to|clickable-links Referrer] is passed to the next web site. <br/>
 +
 
This means that the sites we link to would know your '''Mobile Password Safe URL''', and '''we don't want that.''' <br/>
 
This means that the sites we link to would know your '''Mobile Password Safe URL''', and '''we don't want that.''' <br/>
 +
 
There is a way to do this which we've implemented on the home
 
There is a way to do this which we've implemented on the home
 
page to link to the "Hunch" site.<br/>
 
page to link to the "Hunch" site.<br/>
<blockquote>(It uses a "redirector" which takes you to another generic page, which then redirects to the Hunch site. Hunch only sees the generic page, not your password home page.)</blockquote><br/>
+
 
 +
<blockquote>(It uses a "redirector" which takes you to another generic page, which then redirects to the Hunch site. Hunch only sees the generic page, not your password home page.)</blockquote>
 
Secondarily, '''we don't also want to know which sites you're visiting.'''<br/>
 
Secondarily, '''we don't also want to know which sites you're visiting.'''<br/>
  
Line 17: Line 18:
 
'''We could turn off our server logs''' , but it makes it difficult to run our service at all because it '''does'''  hold important diagnostic information.  
 
'''We could turn off our server logs''' , but it makes it difficult to run our service at all because it '''does'''  hold important diagnostic information.  
  
==== Spam ====
+
=== Spam ===
  
 
Once we have a "redirector" page, it means that spammers can use it to hide in their spam emails to avoid spam filters. Instead of sending you to:
 
Once we have a "redirector" page, it means that spammers can use it to hide in their spam emails to avoid spam filters. Instead of sending you to:
Line 27: Line 28:
 
Since we don't want our domain name to be blacklisted by anti-spam companies, and we don't want to do anything to help spammers (in the ''least'') then it becomes difficult to allow just our users to use the outbound links.
 
Since we don't want our domain name to be blacklisted by anti-spam companies, and we don't want to do anything to help spammers (in the ''least'') then it becomes difficult to allow just our users to use the outbound links.
  
==== Our solution ====
+
=== Our solution ===
  
 
Our solution uses [http://wiki.marketruler.com/JavaScript JavaScript]  so the URL you visit is hidden from our servers (it only exists in your browser), and a redirect page which hides your home page URL from other sites.
 
Our solution uses [http://wiki.marketruler.com/JavaScript JavaScript]  so the URL you visit is hidden from our servers (it only exists in your browser), and a redirect page which hides your home page URL from other sites.
  
==== How to test it ====
+
=== How to test it ===
  
 
We offer an easy way to test the referrer security:
 
We offer an easy way to test the referrer security:
Line 38: Line 39:
 
#Click on the link in the password entry
 
#Click on the link in the password entry
 
#View the referrer that the web server "sees"
 
#View the referrer that the web server "sees"
 +
 +
[[Category:Mobile Password Safe]]

Latest revision as of 18:14, 24 April 2020

Security Implications

Despite the fact that all of your passwords are encrypted on your mobile password safe home page, we still don't want to make it easy for others to get the URL. Whenever you link from one web site to another, a Referrer is passed to the next web site.

This means that the sites we link to would know your Mobile Password Safe URL, and we don't want that.

There is a way to do this which we've implemented on the home page to link to the "Hunch" site.

(It uses a "redirector" which takes you to another generic page, which then redirects to the Hunch site. Hunch only sees the generic page, not your password home page.)

Secondarily, we don't also want to know which sites you're visiting.

If you go through a redirector tool on our site, then our web server would see it and log it.

We could turn off our server logs , but it makes it difficult to run our service at all because it does hold important diagnostic information.

Spam

Once we have a "redirector" page, it means that spammers can use it to hide in their spam emails to avoid spam filters. Instead of sending you to:

  • http://www.viagra-buy-drugs-online.com/

They send you to (for example):

  • http://pw.ex.to/out/?u=http://www.viagra-buy-drugs-online.com/

Spam filters look at the pw.ex.to part, not the u= part, so we would be blacklisted.

Since we don't want our domain name to be blacklisted by anti-spam companies, and we don't want to do anything to help spammers (in the least) then it becomes difficult to allow just our users to use the outbound links.

Our solution

Our solution uses JavaScript so the URL you visit is hidden from our servers (it only exists in your browser), and a redirect page which hides your home page URL from other sites.

How to test it

We offer an easy way to test the referrer security:

  1. Add https://pw.ex.to/show-referrer to one of your password entries
  2. Click on the link in the password entry
  3. View the referrer that the web server "sees"