Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[scanner integration] Scan for direct .onion address links on landing page #508

Closed
eloquence opened this issue May 26, 2018 · 1 comment
Closed

[scanner integration] Scan for direct .onion address links on landing page #508

eloquence opened this issue May 26, 2018 · 1 comment
Labels
enhancement landing page scanner

Comments

@eloquence
Copy link
Member

eloquence commented May 26, 2018
edited
Loading

Part of epic #488. We recommend not to directly link .onion addresses (https://docs.securedrop.org/en/stable/deployment/landing_page.html#do-not-hyperlink-onion-addresses), so we should verify whether such links are present and record it in the scan results.

While this only impacts users who click on the link in a non-Tor browser, in those cases, it does lead to a DNS leak of their attempt to access SecureDrop, so it warrants a "moderate" warning
@eloquence eloquence changed the title Scan for direct .onion address links on landing page [scanner integration] Scan for direct .onion address links on landing page May 31, 2018
This was referenced May 31, 2018
Open
Closed
Closed
@eloquence
Copy link
Member Author

This is actually already supported in the current scanner code (see validate_onion_address_not_in_href in scanner.py), it's just not used for the grades. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement landing page scanner
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eloquence