yahoo search leaks destination url

RESOLVED WORKSFORME

Status

()

Firefox
Search
RESOLVED WORKSFORME
2 years ago
6 months ago

People

(Reporter: keeler, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(platform-rel +, firefox42 affected)

Details

(Whiteboard: [platform-rel-Yahoo!])

Yahoo search is over https, which is great. Search results are sometimes https pages, which is also great. What's not great is yahoo search bounces the browser through an http host which redirects to the actual target, which leaks the destination to anyone who's listening in at the local coffee shop.

STR:
* run Wireshark (or equivalent packet capturing utility) (filter on port 80 or 443)
* search for something that might have https results (e.g. 'github')
* click the link to github

The browser will first navigate to something like 'http://r.search.yahoo.com/_ylt=AwrTcd7HcKlVNGUALG4nnIlQ;_ylu=X3oDMTEzamsxbWY1BGNvbG8DZ3ExBHBvcwMxBHZ0aWQDRkZHRTAyXzEEc2VjA3Ny/RV=2/RE=1437196616/RO=10/RU=https%3a%2f%2fgithub.com%2f/RK=0/RS=uaXQDZKGnFD0CzrtZi8C8WYAtIk-' before being redirected to https://github.com

Wireshark will see something like this (use "Follow TCP Stream" on the http traffic):

GET /_ylt=A86.J7web6lVtyQAEucnnIlQ;_ylu=X3oDMTEzamsxbWY1BGNvbG8DZ3ExBHBvcwMxBHZ0aWQDRkZHRTAyXzEEc2VjA3Ny/RV=2/RE=1437196191/RO=10/RU=https%3a%2f%2fgithub.com%2f/RK=0/RS=7UWiwK0gQIhXesoxeWYLhFgJQFk- HTTP/1.1
Host: r.search.yahoo.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: <cookie>
Connection: keep-alive

HTTP/1.1 200 OK
Date: Fri, 17 Jul 2015 21:10:02 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: private
Content-Length: 247
Content-Type: text/html; charset="UTF-8"
Age: 0
Connection: keep-alive
Server: ATS

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><script>window.opener=null;window.location.replace("https://github.com/");</script><noscript><META http-equiv="refresh" content="0;URL='https://github.com/'"></noscript></head></html>
Kev, if I recall correctly, you're the contact person for all things Yahoo search in Firefox. Can you raise this issue/get traction with the appropriate people?
Flags: needinfo?(kev)

Comment 2

2 years ago
Bouncer URL is not likely to change from HTTP to HTTPS at this point. We have looked at using sendbeacon to replace redirects, but it's not clear that our implementation will satisfy reporting requirements. Best to flag with Mike Connor, as it is still an issue.
Flags: needinfo?(kev)

Updated

2 years ago
platform-rel: --- → ?

Updated

2 years ago
Whiteboard: [platform-rel-Yahoo!]

Updated

2 years ago
Flags: needinfo?(mconnor)

Comment 3

2 years ago
I've sent this to Yahoo as an FYI. They are taking a look.
Flags: needinfo?(mconnor)
platform-rel: ? → +
Rank: 5

Comment 4

9 months ago
Dkeeler: can you retest and see if you are seeing the same results?

We think Yahoo switched to sendBeacon.
Flags: needinfo?(dkeeler)
(Reporter)

Comment 5

9 months ago
On release this seems to be fixed, but I'm still seeing it on Nightly.
Flags: needinfo?(dkeeler)

Comment 6

9 months ago
> On release this seems to be fixed, but I'm still seeing it on Nightly.

I have no explanation for that.
Hi David, what would be the next steps to move this bug forward?
Flags: needinfo?(dkeeler)
(Reporter)

Comment 8

8 months ago
I imagine we need to reach out to Yahoo again and tell them we're still seeing this behavior on Nightly (at least, I am).
Flags: needinfo?(dkeeler)
Mike, looks like you reached out in Comment #3 -- would it be possible to follow up here? Thanks!
Flags: needinfo?(mozilla)

Comment 10

6 months ago
I've reached out to Yahoo on this.
Flags: needinfo?(mozilla)

Comment 11

6 months ago
Yahoo just took a look:

> Sure, I can take a look at it. I checked on nightly build of Firefox and did not see this issue for https outgoing links. Can you please help me in providing more details like which yahoo search URL and an example search result that was clicked. That will help us debug better

Does anyone have a link/example of this that I can send Yahoo?
(Reporter)

Comment 12

6 months ago
What I'm seeing now is https:// destinations are bounced through an https://r.search.yahoo.com redirect, so those aren't leaking the destination url any longer, and this appears to be fixed.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.