Opened 10 months ago

Last modified 9 months ago

#27925 new defect

Permanent link on /exonerator.html? is http

Reported by: modik Owned by: metrics-team
Priority: Medium Milestone:
Component: Metrics/ExoneraTor Version:
Severity: Normal Keywords:
Cc: metrics-team Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When results are displayed for a a given IP in ExoneraTor, the permanent link section gives the link in HTTP.

Although the endpoint redirects to HTTPS, it's still desirable to show the HTTPS link in the first place. [Screenshot-attached]

Example:
https://metrics.torproject.org/exonerator.html?ip=62.138.7.171&timestamp=2018-09-20&lang=en

Child Tickets

Attachments (1)

exoneraTor.png (41.4 KB) - added by modik 10 months ago.

Download all attachments as: .zip

Change History (5)

Changed 10 months ago by modik

Attachment: exoneraTor.png added

comment:1 Changed 9 months ago by karsten

Cc: metrics-team added
Status: newneeds_information

Good catch! This is indeed not ideal.

It's even a tiny bit worse than described above: we also include the http link in other places, for example, when an IP address was not found but nearby IP addresses in the same /24 have possible hits. Try searching for .170 and look at the HTML sources:

            <div class="panel-body">
              <p>We did not find IP address 62.138.7.170 on or within a day of 2018-09-20. But we did find other IP addresses of Tor relays in the same /24 network around the time:</p>
              <ul>
                <li><a href="http://metrics.torproject.org/exonerator.html?ip=62.138.7.171&timestamp=2018-09-20&lang=en">62.138.7.171</a></li>
              </ul>
            </div><!-- panel-body -->

The underlying issue is that we have an Apache running on the metrics host that listens on 443 and rewrites to 8080. In our servlet, we don't even learn that the request came in via https.

I don't really have an elegant solution. The best thing I can come up with is that we pretend that we're living in an HTTPS world now and simply rewrite http to https. And for local testing environments we provide a simple configuration option that turns off this internal rewriting.

Changing to needs_information to collect feedback on this plan. If I don't hear otherwise, I'll hack something next week. Unless somebody else wants to do it, in which case, please just grab the ticket!

comment:2 Changed 9 months ago by irl

For local testing environments you need HTTPS anyway or half the browser features are disabled and none of your JavaScript runs. Wherever we are using absolute links, we can set these to https://metrics.torproject.org/. Ideally though most of our links would be relative links.

Usually web applications have a "base URL" setting that can be overridden. Can we set this as a property with the default being https://metrics.torproject.org/?

comment:3 Changed 9 months ago by irl

Status: needs_informationnew

comment:4 in reply to:  2 Changed 9 months ago by karsten

Replying to irl:

For local testing environments you need HTTPS anyway or half the browser features are disabled and none of your JavaScript runs.

Hmm, I usually don't have my local testing instance on HTTPS. But I also don't rely much on JavaScript running or not.

Wherever we are using absolute links, we can set these to https://metrics.torproject.org/.

Without looking at the code right now, I think that we might have to extend that to https://metrics.torproject.org/exonerator.html. But I'm not sure.

Ideally though most of our links would be relative links.

True, in theory. Not sure if there are any practical reasons against doing that.

Usually web applications have a "base URL" setting that can be overridden. Can we set this as a property with the default being https://metrics.torproject.org/?

Sounds fine to me!

Not grabbing just yet. If this is still owned by metrics-team in a couple of days I might grab it.

Note: See TracTickets for help on using tickets.