Hi,
I have news, both good and bad.
Bad: I found 2 issues, sniffing with wireshark
Good: they're already fixed :-)
The first one is about localization: auto-suggestion queries contain
the sysem language. For example:
http://suggestqueries.google.com/complete/search?ds=yt&output=toolbar&hl=it-IT&q=some_search_keywords
Notice the "hl=it-IT" part. Attached file
"minitube-suggest-locale-fix.patch" hardcodes a en-US locale.
The second one is about cookies: the author said that there are none,
meaning that he didn't care in its code. However, from some QT
documentation it turns out that:
"QNetworkAccessManager by default does not implement any cookie policy
of its own: it accepts all cookies sent by the server, as long as they
are well formed and meet the minimum security requirements (cookie
domain matches the request's and cookie path matches the request's)"
As a result, minitube accepts cookies sent by youtube/google on the
first serch query, and sends them back on subsequent searches.
If the program is closed and reopened, cookies are cleaned, but
searches within the same program session can be correlated!
Attached file "minitube-cookies-fix.patch" corrects this to never send
any cookie.
2013/1/20, intrigeri <intrigeri@???>:
> But still, someone should research a bit the potential anonymity
> issues. I suggest using the Torbutton Design Documentation as a lead
> to point you to the most typical problems. I'm sorry to say this, as
> I hate to feel like I may be discouraging you, but I'd hate even more
> to treat "lack of time to research" the same way as "found no issue
> after searching" ;)
You were right, thanks for insisting on me to do more research ;-)
Greetings
Alessandro
--- youtubesuggest.cpp.bak 2012-09-27 10:17:03.000000000 +0000
+++ youtubesuggest.cpp 2013-01-31 11:24:57.000000000 +0000
@@ -13,13 +13,13 @@
}
void YouTubeSuggest::suggest(QString query) {
- QString locale = QLocale::system().name().replace("_", "-");
+ //QString locale = QLocale::system().name().replace("_", "-");
// case for system locales such as "C"
- if (locale.length() < 2) {
- locale = "en-US";
- }
+ //if (locale.length() < 2) {
+ // locale = "en-US";
+ //}
- QString url = QString(GSUGGEST_URL).arg(locale, query);
+ QString url = QString(GSUGGEST_URL).arg("en-US", query);
QObject *reply = The::http()->get(url);
connect(reply, SIGNAL(data(QByteArray)), SLOT(handleNetworkData(QByteArray)));
--- networkaccess.cpp.bak 2012-09-27 10:17:03.000000000 +0000
+++ networkaccess.cpp 2013-01-31 17:30:32.000000000 +0000
@@ -117,6 +117,11 @@
NetworkAccess::NetworkAccess( QObject* parent) : QObject( parent ) {}
+QList<QNetworkCookie> QNetworkCookieJar::cookiesForUrl ( const QUrl & url ) const {
+ QList<QNetworkCookie> list = QList<QNetworkCookie>();
+ return list;
+}
+
QNetworkReply* NetworkAccess::manualGet(QNetworkRequest request, int operation) {
QNetworkAccessManager *manager = The::networkAccessManager();
