Re: How to prevent abuse of the proxy

Thu, 17 Jul 2008 01:26:21 -0700

See i think the main difference is that people who have much smaller containers, limited bandwidth and limited cash might be more worried about a bandwidth hit then say, a google would be :) 

On Jul 17, 2008, at 2:55 AM, Kevin Brown wrote:
We just blacklist certain urls and certain referrers on gmodules.com. We haven't really had any issue with that scheme, and we're a pretty big target 
for exploits.
On Wed, Jul 16, 2008 at 2:45 PM, Chris Chabot <[EMAIL PROTECTED]> wrote: 


Some might feel the same ... adding a security token to all the proxy
requests or checking referrers etc has been added as a possible solution to 
reduce the risk a bit but so far hasn't gotten a lot of traction.


On Jul 16, 2008, at 11:39 PM, Emilio Daniel González wrote:

That is abuse! I thing...
On Wed, Jul 16, 2008 at 6:34 PM, Chris Chabot <[EMAIL PROTECTED]> wrote:
Well what you -could- do is create a site, and host all the 'images' 
(lets
pretend this does not involve scantly dressed people) on the pages on img src="http://shindig/proxy?url=http://myhost.com/some/image.gif"; / > ... 
and
thus offloading most of the bandwidth used to the proxy instead of the 
originating site.



On Jul 16, 2008, at 11:27 PM, Emilio Daniel González wrote:
So, if I were a bad guy, can I copy all Internet into the proxy?! =P
On Wed, Jul 16, 2008 at 6:07 PM, Kevin Brown <[EMAIL PROTECTED]> wrote: 



On Wed, Jul 16, 2008 at 2:03 PM, Emilio Daniel González
<[EMAIL PROTECTED]>
wrote:

btw, why all the files that pass through the proxy are named as

"p.txt"?
it's a convention or what?




the "p" is arbitrary (it stands for proxy). The .txt extension
generally
causes the file to be opened in a text editor rather than the web
browser
(either that or the user gets a download dialog). Most other extensions would be loaded in the browser (making the technique ineffective) or 
blocked
by security software.
On Wed, Jul 16, 2008 at 5:58 PM, Chris Chabot <[EMAIL PROTECTED]> 
wrote:
So how does it prevent the use of the proxy as a 'free Akamai' when 



people



can use it for their images/etc?


On Jul 16, 2008, at 10:52 PM, Kevin Brown wrote:
Yes, it works under that use case. Sending it as an attachment does 
not
interfere with legitimate use of the proxy as it does not impact 
img,
object, embed, script, or link elements or style sheet imports.
On Wed, Jul 16, 2008 at 1:46 PM, Ropu <[EMAIL PROTECTED]> wrote: 

hi



i have a question.
will sending proxy results as attachment work with this example? 
*
Let the container cache your dynamic content*
http://code.google.com/apis/opensocial/articles/latency/#dynamic
The gadgets.io.getProxyUrl function will return the location of the 
cached
version of the URL you provide, including images, JavaScript, and 
CSS.




So
instead of using the URL of content hosted on your server, like 
this:

function showImage() {
imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
html = ['<img src="', imgUrl, '">'];
document.getElementById('dom_handle').innerHTML = html.join(''); 
};

showImage();

you can use the URL of the cached content, like this:

function showImage() {
imgUrl = 'http://www.example.com/i_heart_apis_sm.png';
*cachedUrl = gadgets.io.getProxyUrl(imgUrl);*
html = ['<img src="', *cachedUrl*, '">'];
document.getElementById('dom_handle').innerHTML = html.join(''); 
};


showImage();



if so, its preventing "free akamai"or phishing?

said this, or the example is wrong (and we are limiting
functionality)




or




the solution is partial (or im completely mixed up :P)

ropu
On Fri, Jul 11, 2008 at 2:45 PM, Kevin Brown <[EMAIL PROTECTED]> 
wrote:
On Fri, Jul 11, 2008 at 2:20 AM, Karsten Beyer <[EMAIL PROTECTED] > 




wrote:




Hi,
what is the suggested strategy to prevent abuse of the open proxy 
at
/gadgets/proxy? I found some old discussions from february about 




adding




the


IP address of the user as HTTP header. Some testing however

showed




that




this


is not yet implemented.
Are there any plans to implement some kind of whitelist feature? 
More
importantly: Are there any reasons against implementing such a 




feature?
You could always add a whitelist for outbound requests, but you'd 
have
to
do
a custom http fetcher implementation.

The java version is currently returning all proxied files as
attachments,
which has helped significantly with reducing the potential of 
/gadgets/proxy
as a phishing vector or free Akamai.






Best Regards,

Karsten Beyer
[EMAIL PROTECTED]










--
.-. --- .--. ..-
R o p u

Reply via email to