urlbot security improvements and suggestions
|Opened on:||Sunday, January 8, 2012 - 13:23|
|Last modified:||Wednesday, January 11, 2012 - 23:51|
A couple of suggestions have come up for changing urlbot, and to reduce security issues.
URLbot was designed to help IRC users reach URLs that are too long to read in Foldit's built-in IRC client. But there is an inherent security risk in going to a link that you cannot read. (Questions have also been raised about the security of using URL shorteners -- but that discussion may be found in the thread titled "No more bots!") Some suggestions have been made on how to limit the security risks, and I list them below. But first a word about URLbot design principles:
The guiding principle is that URLbot should be useful without being overly intrusive. It does not translate long IMAGE urls sent by clicking on the camera in the client, since these are already clickable. URLbot does not translate short URLs: unless the URL can be shortened by at least a few characters, it is ignored. It also does some link-checking, and warns if the URL appears malformed or unreachable. (It doesn't censor anything, though.)
I mention all of this because the following suggestions have a downside; they increase the verbiage that will come from the bot. The good news is that URLs are still a small fraction of our conversations, so the total "noise" level will still be small.
Two ideas have been raised:
"Split the URL."
What if URLbot splits the posted URL in such a way that it wraps in IRC? For 99+% of URLs, this might involve little more than adding a space after each slash. The IRC client will automatically wrap the results in a fairly readable way. Even folks who choose to use the tinyurl link would probably appreciate the security of being able to read the URL that they are being directed to. (I know that I would!) I expect that this readable version URL would follow the tinyURL.
"Teaching a noob to fish." For links that come from the foldit site itself, what if I briefly explain how to reach the link in question? For instance:
Go to home page, click "Wiki" in the header and then ....
This could also follow or replace the tinyurl now being generated. I haven't really looked at how easy or hard this will be, but I believe it is doable. I would attempt to make the descriptions as dynamically generated as possible, to minimize the need to change code if the site is reorganized. This would also allow me to say things like "The link to puzzle 497 is near the bottom of the page."
I suppose I could make this a separate function, requestable with a command like
I don't imagine many would use this, though -- which means that the large amount of work this might require would have a very small payback.
A third possibility is bound to come up: "fix the IRC client!" This is a discussion for another thread. The devs would like nothing better than to fix everything and make everyone happy -- but in our imperfect universe, neither of those goals is something one should hold one's breath waiting for. :-) I'm sure that we all want the devs to concentrate on nifty folding features first -- especially if there is an easy workaround like URLbot that can stand in place of a coded solution to the URL wrap problem. So for this discussion, lets focus on what URLbot can do for us.
Comments? Suggestions? Other ideas?