I think there's another way to get the users' IP. Can be done thru server-side scripts if the content-type of the gadget is URL
On Tue, Feb 26, 2008 at 10:59 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > If a gadget wants to leak the user's IP, all it needs to do is create > an img tag pointing to another server. Not sending the IP address > with requests forwarded through gadgets.io.makeRequest() provides no > privacy benefit. > > On Tue, Feb 26, 2008 at 8:27 AM, Akash Xavier <[EMAIL PROTECTED]> > wrote: > > Oh! > > If its for geo-location purposes, ok, there's another way around. > > We'll let the container use the IP to tell the gadget where the user is > > from. So instead of passing the IP, the geo-location can be passed > directly. > > Ofcourse, it proves financially expensive for the container site. But > anyone > > who wants gadgets to get some geo-location data, might ofcourse try to > give > > away geo-location data directly instead on the IP. There's no perfect > > method. But we need to protect the user's privacy too by not offering > the IP > > directly. > > > > > > > > On Tue, Feb 26, 2008 at 9:31 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > > > > > Two comments. > > > > > > - what use would a hashed IP address be to anyone? I think the > > > original request was for the IP address for geolocation purposes, and > > > then I chimed in saying we should have it to help respond to abuse > > > complaints. A hash of the IP is not useful for either purpose. > > > > > > - don't use straight md5 or sha1 to obfuscate something with low > > > entropy like an IP address. You need a salt, at least, or probably > an > > > HMAC or even a one-time pad depending on your goals. If you use an > > > unsalted hash then building up a dictionary mapping from the hash to > > > the original IP is easy. > > > > > > On Tue, Feb 26, 2008 at 1:53 AM, Akash Xavier <[EMAIL PROTECTED] > > > > > wrote: > > > > Hi everyone! > > > > Perhaps, we solve this by a different solution. I don't know > whether I > > > am > > > > right but I think this can be done. > > > > The container can set a cookie which contains the value of the ip > > > address of > > > > the viewer in some encrypted form (like something md5 or sha1 > value of > > > the > > > > IP), this can be done by the server side script (what ever > language, > > > java or > > > > php). > > > > This value can then be passed to the app's server by the > javascript > > > when > > > > making the call to the app's server for some data. > > > > > > > > IMO an an encrypted value is enough. I think server-side > encryption is > > > the > > > > solution to protect the user's privacy (and also from gadget > authors > > > > exploiting their IP data). > > > > > > > > On Tue, Feb 26, 2008 at 7:35 AM, Kevin Brown <[EMAIL PROTECTED]> > wrot > > > > > > > > > > > > > > > > > Actually, you're right -- we won't be forcing images through a > proxy > > > most > > > > > likely, so they could always use that vector if they really > wanted to > > > > > steal > > > > > IPs. > > > > > > > > > > On Mon, Feb 25, 2008 at 5:57 PM, Brian Eaton <[EMAIL PROTECTED]> > > > wrote: > > > > > > > > > > > On Mon, Feb 25, 2008 at 5:47 PM, Kevin Brown <[EMAIL PROTECTED]> > > > wrote: > > > > > > > Caja will eliminate this in the long run (as well as my > other > > > > > proposed > > > > > > way > > > > > > > to steal the IP). > > > > > > > > > > > > I'm not sure I believe this. In theory, sure. In practice I > > > suspect > > > > > > that a policy that prevented the IP address from leaking in > any > > > > > > possible way would also make it very difficult to write cool > > > gadgets. > > > > > > > > > > > > I hope to be proved wrong, though. > > > > > > > > > > > > Cheers, > > > > > > Brian > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > ~Kevin > > > > > > > > > > If you received this email by mistake, please delete it, cancel > your > > > mail > > > > > account, destroy your hard drive, silence any witnesses, and > burn > > > down the > > > > > building that you're in. > > > > > > > > > > > > > > > > > > > > > -- > > > > Akash Xavier > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > -- > > > > > > Akash Xavier > > [EMAIL PROTECTED] > > > -- Akash Xavier [EMAIL PROTECTED]
