Project

General

Profile

Bug #256

Security warnings on site

Added by Matt Gold over 8 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority name:
High
Assignee:
Category name:
BuddyPress (misc)
Target version:
Start date:
2010-05-26
Due date:
% Done:

0%

Estimated time:

Description

HI All,

I just arrived in class and two students here told me that they tried to log into the Commons on Windows/IE and received repeated pop-up warnings saying that the Commons is a trust site but that Gravtar is trying to become the trusted site. Haven't gotten much more detailed feedback than that, but if anyone can test it, I would appreciate it.

History

#1 Updated by Boone Gorges over 8 years ago

I'm sitting at a GC computer and I know the problem, but not the solution.

On GC computers, IE is set to treat any site with URL http://*.gc.cuny.edu as a "trusted site". One of the settings related to "trusted sites" on the GC's default install of IE is that it prompts the user when "websites in less privileged web content zones" attempt to "navigate into this zone". I take it that what's happening is that when the Commons requests a gravatar from http://gravatar.com but none is found, there is some sort of redirect happening that is triggering the prompt.

It's a problem that will only arise on GC computers, most likely.

The only way I can think of to fix it is to turn off gravatar.

#2 Updated by Matt Gold over 8 years ago

Wow. Thanks for your work on this, Boone.

Andre, is there any remote chance that we can get gravatar.com added to an IE whitelist?

#3 Updated by local admin over 8 years ago

Interesting. I too was able to replicate the error on IE. Here's my take on it, and mind you I'm not a desktop admin for GC so really have nothing to do with this.

Seems like an untrusted site (gravatar) is trying to access or open a resource on a trusted site (commons). How is gravatar trying to call a commons resource? I've no idea.

In this case I think the easiest solution would be to add gravatar.com to GC's list of trusted sites. Does that make sense to you all?

Alternatively, we can look deeper into the sequence here and try to understand exactly how/why gravatar is calling Commons' resources. I guess it's probably something to do with authentication, like checking to see if the Commons is a legit customer or something. How does this sound?

#4 Updated by local admin over 8 years ago

Matt Gold wrote:

Wow. Thanks for your work on this, Boone.

Andre, is there any remote chance that we can get gravatar.com added to an IE whitelist?

Not my domain. I have nothing to do with GC's desktop configurations, specially not Windows stuff.
But I can definitely try and help facilitate this.

#5 Updated by Matt Gold over 8 years ago

If you can give it a shot, Andre, I would really appreciate it. Don't worry about pushing it if you hit resistance.

If we can't get it whitelisted, we have two options: remove gravatar and receive complaints from people who have lost their avatars, or keep it and get complaints from people who can't access the site w/in the GC.

Given the lay of the land and the characteristics of our members -- many more people probably use IE than gravatar -- i'd say that we should disable gravatar if we can't get it whitelisted.

#6 Updated by local admin over 8 years ago

Matt Gold wrote:

If you can give it a shot, Andre, I would really appreciate it. Don't worry about pushing it if you hit resistance.

If we can't get it whitelisted, we have two options: remove gravatar and receive complaints from people who have lost their avatars, or keep it and get complaints from people who can't access the site w/in the GC.

Given the lay of the land and the characteristics of our members -- many more people probably use IE than gravatar -- i'd say that we should disable gravatar if we can't get it whitelisted.

No problem, I'll follow up on this.
But while I super appreciate your flexibility here, I'd say let's try and avoid disabling gravatars at any cost...

I'll strongly push for adding it to the "trusted sites" list, but if that doesn't work for any reason, or just takes too long (more likely), perhaps we can examine the entire flow of requests and try and fine-tune it if possible?

#7 Updated by Boone Gorges over 8 years ago

I agree that disabling Gravatar is not a very good solution. I'll look through to see if I can detect why Gravatar is being weird. It only appears to happen for users who don't have a gravatar, so maybe there's an application-level hack I can do to stop this from happening.

#8 Updated by Matt Gold over 8 years ago

Believe me, guys, I'd like to avoid disabling gravatar, too. Thanks to both of you for your efforts here.

#9 Updated by Boone Gorges over 8 years ago

OK, here's the deal.

BuddyPress constructs Gravatar URLs that looks like this:
http://www.gravatar.com/avatar/8a097f4ac174895d79d8e0adab7cb1c1?d=http://commons.gc.cuny.edu/path-to-default-gravatar&s=50

The long alphanumeric string is a hash of the user's email address. The s=50 at the end is a size variable. The d= in the middle defines a default image to be used in case the user doesn't have a Gravatar. In cases where users have a gravatar, the image is served from gravatar.com as a normal remote image. But when a user does not have one (this is the weird and annoying part), gravatar requests the default image (which, in our case, is hosted in the commons.gc.cuny.edu BuddyPress directory) and acts as a proxy. So the "mystery man" image that is our normal default is stored on our server, grabbed by Gravatar, and served back to us before being served to the end user. I think the system is intended to be flexible, but it ends up being kind of stupid.

There's no great way to circumvent it. Here are a few options:
1) Don't specify a default. Then Gravatar will use its own default, which means it's not making a request of the Commons server. That's what I've done right now: at the beginning of bp-nelo/functions.php I added a filter that greps out the 'd' query arg. That's why you see a blue gravatar logo default right now. I am not at the GC, and I don't have a working copy of windows to test on, but I assume that right now the problem has been solved. Downside: we have to use the blue gravatar default, which is maybe not quite as nice as the mystery man.
2) Turn off Gravatar altogether. I did this for a second just to get a sense of how many people are using it - and the answer is that a lot of people are using it. I'm guessing 20-30% of our users. Bad option.
3) Try hosting the default image somewhere other than *.commons.gc.cuny.edu, which in theory would prevent the problem of a non-trusted site querying a trusted site during the trusted site load. The downside of this is that it's just plain weird to have to store something on a remote server for this sort of stupid reason.

Thoughts?

(BTW I am not going to be around to troubleshoot this problem anymore starting tomorrow. If you want to turn off the filter that is causing the blue image to load, go to bp-nelo/functions.php and comment out the add_filter stuff on line 11.)

#10 Updated by Matt Gold over 8 years ago

Of all the possible solutions available to us right now, i think you chose the most elegant and least disruptive one. If it motivates people who haven't chosen an avatar (or a gravatar) to get one, so much the better. But at least people won't lose their avatars and others won't be hassled as they visit the site.

When you come back, maybe you could work on this again, but for the next month, i think this is great. Again, thanks so much for your great work here.

#11 Updated by Matt Gold over 8 years ago

  • Status changed from Assigned to Hold
  • Assignee changed from Zach Davis to Boone Gorges

#12 Updated by Matt Gold over 8 years ago

  • Category name changed from WordPress (misc) to BuddyPress (misc)

#13 Updated by local admin over 8 years ago

Preview
Boone Gorges wrote:

Thoughts?

Really funny and interesting issue! Who said IE wasn't secure heh ;-)

Not sure what the desktop admins' philosophy is on adding sites to the trusted list but it seems workable to me, unless I'm missing some angle. Gravatar.com is a pretty reputable service so I don't see the big harm. Looking forward to consulting my colleagues on this...

Tested the filter work-around and worked for me, although I was running IE via Citrix XenApps which itself can be weird! Will re-test on Monday.

#14 Updated by Boone Gorges over 8 years ago

What's the status of this issue?

André, have you had a chance to talk to the GC desktop folks about having us added to the trusted sites list?

Or, alternatively, has everyone adjusted to seeing the blue Gravatar logo throughout the Commons? Can we accept this as a resolution for the issue?

#15 Updated by Matt Gold over 8 years ago

Or, alternatively, has everyone adjusted to seeing the blue Gravatar logo throughout the Commons? Can we accept this as a resolution for the issue?

If possible, it would be great to reserve that as an alternative only if we're unable to adjust the trusted sites list.. . . .André, please let us know what you think when you can.

#16 Updated by local admin over 8 years ago

Boone Gorges wrote:

André, have you had a chance to talk to the GC desktop folks about having us added to the trusted sites list?

Haven't had a chance to address this yet. Upon reflection it seems to me like we'd have better flow addressing this issue from a GC user's perspective rather than a Commons dev's as I proposed earlier. If a GC user finds this annoying he/she can always create a ticket for that, and I'll advocate based on a user's request rather than from my position as a Commons dev.

#17 Updated by Matt Gold over 8 years ago

Hi André,

Well, this ticket is the result of two GC grad students running into this problem and complaining about it (they were both members of the ITP class I was co-teaching with Steve). If you need their names, I can give them to you, but I'm not sure that's necessary -- we should be able to advocate for them based on the original complaint.

it's true that we've found a workaround to partially address the original complaint, but it's one that leaves our team unsatisfied.

It sounds like you feel a little uncomfortable bringing this up; would it be better if George or I brought it up ourselves?

Best,

Matt

#18 Updated by Sarah Morgano over 8 years ago

I've also had complaints from people at SPS who work at the Grad Center. I could generate a ticket with the Helpdesk tomorrow if that would be helpful. Would you mind if I posted an update to the group suggesting that members use FireFox? If you guys would prefer this information not be public I could send each member a private message instead of posting an update.

Best,

Sarah

#19 Updated by Matt Gold over 8 years ago

Hi Sarah,

How recent are the complaints you're referring to? And what were they, exactly? Our workaround should have prevented the previous problem from coming up again.

Generally, I prefer not to tell people what browsers they should use -- that reeks of 1996 websites that had banners in their footers saying "Best viewed with Netscape 2.6".... If people bring it up to you as a problem, then I'd say that you should recommend firefox, but a large-scale announcement is probably not necessary.

Again, please let us know what complaints you've been hearing. And if they're different than what's above, please start a new ticket. Thanks!

Matt

#20 Updated by Sarah Morgano over 8 years ago

No worries, I won't post an update. The complaints were actually from about a month ago. I've been using Firefox because of Sharepoint compatibility issues so I will check the site tomorrow with IE and if that warning comes up then I'll generate a ticket.

Best,

Sarah

#21 Updated by Matt Gold over 8 years ago

André, when you have a chance, can you address my questions in comment 17 above? What path would you advise us to take in order to make some progress here?

#22 Updated by local admin over 8 years ago

Matt Gold wrote:

André, when you have a chance, can you address my questions in comment 17 above? What path would you advise us to take in order to make some progress here?

Given that it isn't really a server-side issue, I advise for filing a support ticket with GC's help-desk. Sarah's offer is most helpful.

Turn the custom default avatar back on and take it from there.

#23 Updated by Matt Gold over 8 years ago

Okay -- thanks, André.

Sarah, would you be willing to submit that ticket as a user of the Commons? It would be great if you could tell them that you brought the problem to our attention, and we made a temporary fix, but that we told you that the problem remains and that they should check in with me at my GC address ( mgold AT gc dot cuny dot edu )

I make this suggestion because I'd prefer not to turn the custom default avatar back on until the GC is ready to troubleshoot the problem.

#24 Updated by Boone Gorges over 8 years ago

Bumping this. Has anyone talked to the GC help desk?

#25 Updated by Boone Gorges over 8 years ago

  • Target version set to Not tracked

#26 Updated by Boone Gorges almost 5 years ago

  • Status changed from Hold to Resolved

We've had the current default avatar for several years now with no negative feedback (that I know of). I'm going to mark this one as Resolved. If someone disagrees and wants to start the necessary conversations with GC IT, please feel free - though I should note that whitelisting Gravatar for the GC doesn't guarantee that the same issue won't arise at other campuses. For this reason, it seems wise to go with default-avatar setup we've currently got.

Also available in: Atom PDF