tiddlyspot security issue?

[M)]

I have a concern that other private tiddlyspot users might want to
check out. I've tried contacting feed...@tiddlyspot.com in the
middle of July and a few days ago about this and have had no response.

I set up my private tiddlywiki for google analytics following the
guidance here:
http://www.hawksworx.com/journal/2007/07/05/tracking-tiddlywiki-with-google-analytics/

Since I had this implemented, I've had three visits from someone in
Ichikawa Japan (about 1/mth). Analytics shows me that this person
visits the root directory only. Interestingly, the "source" of the
visits come from three different sites with the ".jp" domain.

My site is set to "restricted access" in the control panel. I have
changed my password to see if it would stop the visits and the person
was again recorded by analytics.

Is it possible for analytics to record a visit for someone who doesn't
have a password? It seems far fetched. If this person has happened
to have found a back door, then everyone's private site would be at
risk, right?

Can anyone shed light on this subject? Consider setting up your site
with analytics to check if you get visits too.

[Eric Shulman]

> Since I had this implemented, I've had three visits from someone in
> Ichikawa Japan (about 1/mth).  Analytics shows me that this person
> visits the root directory only.  Interestingly, the "source" of the
> visits come from three different sites with the ".jp" domain.
>
> My site is set to "restricted access" in the control panel.  I have
> changed my password to see if it would stop the visits and the person
> was again recorded by analytics.

If I go to a protected site and enter the wrong password when
prompted, it don't get to see the page, but it still is recorded in
the server logs as a visit... with an error code of 403 ("Forbidden").

Are you certain that the reported visits were *successful* at viewing
your document content? You might want to directly examine the raw log
file data, to check the actual number of bytes that were transferred
for each suspicious server request. If it is too small to be the
entire document, then it is most likely that the only response from
the server was to redirect to TiddlySpot's "wrong password" page.

HTH,
-e
Eric Shulman
TiddlyTools / ELS Design Studios

[M)]

Thanks for the reply, Eric.

> If I go to a protected site and enter the wrong password when
> prompted, it don't get to see the page, but it still is recorded in
> the server logs as a visit... with an error code of 403 ("Forbidden").

Google Analytics (pardon my weak understanding of the language) is
javascript based and doesn't come from the server. The only way
analytics can send a ping is if the document is downloaded, as far as
I understand. Or if it is partially downloaded to the point of the
javascript (if that is possible).

> Are you certain that the reported visits were *successful* at viewing
> your document content?  

I'm not sure. I only think they have since analytics has recorded the
visit. I'm hoping an expert can clear things up because I'm unsure.

> You might want to directly examine the raw log
> file data, to check the actual number of bytes that were transferred
> for each suspicious server request.  If it is too small to be the
> entire document, then it is most likely that the only response from
> the server was to redirect to TiddlySpot's "wrong password" page.

Can you point me to more info? I'm not sure how to examine the raw
log file data.

M)

[M)]

I had someone in Brazil try 12 times to enter my TW. I'm finding this
disturbing (FYI, I've never shared my site with anyone). I don't
think people are successful in visiting my content, but the number of
visits is uncomfortable. I must have a Tiddlyspot sub-domain name
that is easy to mixup with others or something along those lines so
I've moved it to another sub-domain. Hopefully that helps me feel
better.

FYI, I either don't understand things appropriately because of my weak
technical language, or my question is left unanswered. What I can't
understand is how Google Analytics could possibly record a visit if
the visitor cannot login. I believe if GA is to get a ping, the
visitor has seen my content.

If anyone can help me understand, I'd appreciate it.

M)

> > the server was to redirect toTiddlySpot's"wrong password" page.

[wolfgang]

Hi M,

> understand is how Google Analytics could possibly record a visit if
> the visitor cannot login. I believe if GA is to get a ping, the
> visitor has seen my content.
>

I would try to access your site from an other computer without
entering the password, and than check if such attempts would be
reported by Google.

Regards..

[FND]

> I would try to access your site from an other computer without
> entering the password, and than check if such attempts would be
> reported by Google.

Or you might get Firebug and watch the Net tab for requests to GA.
If you tell me the URL, I can take a quick look.

I'm fairly sure only presents a static 401 page (i.e. entirely unrelated
to whatever TiddlyWiki document is stored at that location).

-- F.

[FND]

> If you tell me the URL, I can take a quick look.

Marc has sent me the URL.
As predicted, all I get is a static 401 page that does not trigger any
Google Analytics requests.

So I can think of a few explanations:
* someone in Brazil has guessed your password
* your own visits are mistakenly being registered as coming from Brazil
* Google Analytics is misconfigured somehow, counting requests from
other locations

None of those seem very likely, so there might well be other, less
obvious explanations.

-- F.

[Jeremy Ruston]

Google Analytics works in a fairly indirect way; you'll have a little
bit of script on your page that calls a larger script loaded from
Google's servers. That little bit of script has embedded in it the URL
of the website and your Google Analytics ID, which are then passed
along to Google's servers where the hit gets accumulated.

Looking at the Google Analytics code, I think it's possible that false
positives could occur, either through accidentally, or perhaps more
likely through deliberately. There's a history of spammers hitting
servers just to get their spammy URLs into the server logs, so that a
hapless site owner is tricked into clicking on them. It's conceivable
that spammers now try to attack google analytics directly, poisoning
the analytic reports with malicious URLs without ever going near the
original site.

The above is my speculation, but some swift Googling suggests that
false positives aren't unknown with Google Analytics:

http://www.google.com/support/forum/p/Google+Analytics/thread?tid=76c752308f9c349a&hl=en

Best wishes

Jeremy

--
Jeremy Ruston
mailto:jer...@osmosoft.com
http://www.tiddlywiki.com

[M)]

> So I can think of a few explanations:
> * someone in Brazil has guessed your password

If the person guessed the password, I would have seen the different
pages visited by this person. What it looks like to me is that the
person attempted to guess the password 12 times. Possibly, at the
12th, they guessed it though I consider that unlikely because I'm not
using an easy password like "qwerty". I'm less concerned about the
Brazil visit because it is a one time visit and since I use an easy
domain name like "the", maybe the person mistyped something like
"thy". The Japan one is a recurring visit and this is the one I'm
more concerned about. If I were the evil doer, I'd visit a
tiddlyspot, download it and try it from my own computer. Okay, now
that I said that, for this to be true, the evil doer would have to
open the tiddlywiki with notepad to strip the GA code and prevent
pings from occurring (or unplugging from the web).

> * your own visits are mistakenly being registered as coming from Brazil

Unlikely. I would have seen it happen more than just for one day and
it wouldn't have been more than the number of times I visited. I do
notice that my work has provided two different city names

> * Google Analytics is misconfigured somehow, counting requests from
>    other locations
>

I notice that "/[object object]" is in the 'pages visited' list. I
don't know what that is.

I doubt anyone is seeing my content and now that I've moved it to
another location and have yet to see odd results in GA, I'm not so
worried. I imagine my old domain name is just an easy one. What
remains to be answered is why GA registers a hit. Maybe it is just as
Jeremy says, they are just false positives.

I'm keeping the GA code active for this domain to see if anything
happens.

[Eric Shulman]

> I notice that "/[object object]" is in the 'pages visited' list.  I
> don't know what that is.

Just a guess (I haven't looked at any plugin or GA code):

In order to track the viewing of individual tiddlers, I assume that
the TW implementation for Google Analytics (GA) is hijacking the
core's displayTiddler() function. I also assume that this hijack
takes the tiddler title, as passed to displayTiddler(), and uses it to
construct a 'fake' URL with "/TiddlerName" on the end of it that is
reported back to GA.

However, the displayTiddler() function can accept either a tiddler
*title* (a text string) or a tiddler *object* (which it then accesses
to get the title). As a result, if the GA-hijacked displayTiddler()
code attempts to use the tiddler *object* in a text expression to
construct the fake URL then, because the tiddler object does not have
a .toString() method, it reports back "[object object]" instead of the
actual tiddler title.

Here's the first few lines of the core's displayTiddler() javascript
code that illustrates the technique for properly accessing the title:
-----------------------
Story.prototype.displayTiddler = function
(srcElement,tiddler,template,animate,unused,customFields,toggle,animationSrc)
{
var title = (tiddler instanceof Tiddler) ? tiddler.title : tiddler;
-----------------------

If this code technique is applied to the appropriate place in the
current GA-hijacked code, it should eliminate the spurious "[object
object]" from items appearing in your logs.

Another approach that might work, but has potentially more far-
reaching effect, would be to add a .toString() method for the tiddler
object:
-------------------
Tiddler.prototype.toString() = function() { return this.title; }
-------------------
Once this is defined, use of a tiddler object within a text expression
should trigger the .toString() method, resulting in the actual tiddler
title being used in the expression instead of "[object object]".

enjoy,

[Simon Baird]

Apologies for the lack of response. I don't know why you're seeing what you're seeing in Analytics.

However your concern has caused me realise we don't really warn people about Tiddlyspot's lack of security.

In short, because tiddlyspot doesn't use SSL it's not a good idea to a). consider your data secure and b). use a password that you don't want people to discover.

I've posted about this here and updated the FAQ and will shortly place an extra warning on the signup page.
http://tiddlyspot.blogspot.com/2009/11/warning-about-security.html


Regards,
Simon.

--
simon...@gmail.com

[Måns]

Hi Simon

Thanks for making it clear.
Btw. your permalink (http://faq.tiddlyspot.com/#[[Is%20Tiddlyspot
%20secure%3F]]) from your blog is pointing to an empty tiddler titled:
Is Tiddlyspot secure%3F
A better permalink might be:
http://faq.tiddlyspot.com/#%5B%5BIs%20Tiddlyspot%20secure%3F%5D%5D

Regards Måns Mårtensson

On 10 Nov., 13:45, Simon Baird <simon.ba...@gmail.com> wrote:
> Apologies for the lack of response. I don't know why you're seeing what
> you're seeing in Analytics.
>
> However your concern has caused me realise we don't really warn people about
> Tiddlyspot's lack of security.
>
> In short, because tiddlyspot doesn't use SSL it's not a good idea to a).
> consider your data secure and b). use a password that you don't want people
> to discover.
>
> I've posted about this here and updated the FAQ and will shortly place an

> extra warning on the signup page.http://tiddlyspot.blogspot.com/2009/11/warning-about-security.html

> simon.ba...@gmail.com

[Måns]

Hmm - same problem... It's google chrome which makes trouble - sorry
for the false alert..

Regards måns Mårtensson