<div dir="ltr">Hey everybody, I want to announce that our server is up again.<div><br></div><div>Thank you all for your suggestions, we're opening issues for each one in the Github repository.</div><div><div>I want to thank <span style="font-size:12.8px;font-weight:bold;white-space:nowrap">David Fifield </span><span style="font-size:12.8px;white-space:nowrap">for reporting us the security issue.</span><br></div><div><span style="font-size:12.8px;white-space:nowrap"><br></span></div><div><span style="font-size:12.8px;white-space:nowrap">Regarding the stored website's url information, we're evaluating the insertion of a checkbox that allows the user to choose if he/she wants to send it or not.</span></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-03-15 18:47 GMT+01:00 Philipp Winter <span dir="ltr"><<a href="mailto:phw@nymity.ch" target="_blank">phw@nymity.ch</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, Mar 10, 2017 at 06:25:04PM +0100, Massimo La Morgia wrote:<br>
> On Fri, Mar 10, 2017 at 5:39 PM, David Fifield <<a href="mailto:david@bamsoftware.com">david@bamsoftware.com</a>> wrote:<br>
</span><span class="">> > Your extension reports not only the onion domains that it<br>
> > finds, but also the URL of the page you were browsing at the time:<br>
> > var onionsJson = JSON.stringify({onions:onions, website:<br>
> > window.location.href});<br>
> > You need to at least inform your research subjects/users what of their<br>
> > private data you are storing and what you are doing with it.<br>
><br>
> As you can see from the source code we are not storing any sensitive data<br>
> like ip or users information. do you think that only URL page can damage<br>
> user privacy?<br>
<br>
</span>Yes, web applications encode sensitive information in URLs all the time.<br>
Usernames, passwords, personal preferences, you name it. Even just the<br>
page's domain name reveals a lot about you -- think about somebody<br>
visiting <a href="http://google.it" rel="noreferrer" target="_blank">google.it</a> versus <a href="http://google.dk" rel="noreferrer" target="_blank">google.dk</a>.<br>
<div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>dev</a><br>
</div></div></blockquote></div><br></div>