Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I can't figure out what the trivial fix is. Would proxying all S3 requests through his server fix the issue, or do the headers get passed through to Amazon anyway?


One fix is to not directly send the users to the result page. Instead link to a redirect script on the ddg servers i.e, duckduckgo.com/goto.php?link=http://search-result.com/ and then have goto.php remove the REFERER from the request headers.


Not sure if that will work in all browsers, iirc a 301 or a 302 can still pass those headers on. The only trick I know of that will not do that is by using a 'meta refresh' with a time set to '0', but that has bad implications for the working of the 'back' button.


I haven't tested this out, but I don't see why something like this wouldn't work...

<?php

   header("Location: the-result.com");

   header("Referer: ");
?>


Referer is a header the browser sends, Location is a header the server sends. Also, the Location header needs either a relative url on the local machine or a fully qualified one. In this case it would have needed a fully qualified one.

So maybe you should have tested it ;) ?


I wouldn't say there is a trivial fix. One option would be to encrypt the search term client-side with blowfish (or some other 2-way hash scheme) and use that as the url string.


Erm.. You probably mean something like a "symmetric block cipher", such as Blowfish. The point of (cryptographic) hashes is that they're one way only.

But as for a fix, at least Opera offers the option of never sending referrer information. That would be enough in this case.


Firefox offers that option as well - you just have to go to about:config and set network.http.sendRefererHeader to 0.


Don't put offsite images in secure searches.


These aren't really offsite images. ddgw.s3.amazonaws.com is a server instance run by DDG. It just happens to live in Amazon's cloud.


Yes, but the headers are sent in plaintext.


I don't think they are actually: http://stackoverflow.com/questions/499591/are-https-urls-enc...


That was about the headers to the image server which was not using https at the time I believe ?


No, they aren't.


Not any more but they were when that was written. See: http://news.ycombinator.com/item?id=1362122


I think you might be confusing S3 with EC2? I think "offsite images" is an apt description for stuff served from Amazons web frontend to S3... DDG don't run it, they just upload the content to it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: