Edit: I had an example of displaying the IP address back to the user from my server, but it went over capacity in a few short minutes, so I took it down and removed the link. I am sure everyone gets the point, specially with a lot of the other examples provided by other HN users below.
works as well. the server isn't executing perl, it's just not escaping client input allowing you to add html tags to the result page.
edit: i should say - it's absurd that anyone can launch a website with this kind of vulnerability in 2015. every html rendering framework i've ever used/read about automatically sanitizes user input when generating the html. the only accidental way i can imagine someone doing this is building html from string concatenations...
edit2: for a simple challenge, try to embed other tags. like A or SCRIPT
Edit: for context, the parent found an XSS issue. It was patched within a few hours. The patch was incomplete, and this one still worked. So, not only do they get it wrong for launch. When presented with an exploit they don't even patch the full vulnerability. I'll trust my data with someone who understands security, thank you very much.
Red herring. Serious bugs have been found in lots of respect worthy software and service efforts. It just needs to be fixed. You are holding a toddler up to the standards of a pre-teen (which is the highest I'd put Google).
The question here is whether this is a respect worthy effort at privacy protection.
EDIT: Flaws or holes have been found in Tor. Does that mean we reject the Tor effort outright? If anything, the holes found in Tor are more serious and fundamental, because they raise doubts about Tor's approach and whether their goal can ever be achieved. An HTML injection hole in Hulbee is simply an issue of incomplete execution of their vision, which may or may not be forgivable depending on the technical and non-technical circumstances (which none of us here know yet).
I would argue the Tor example is not a valid comparison. Tor is a very complex system. It has a vast attack surface for holes, especially if you ignore boundaries like assuming there is a globally omniscient adversary.
Contrastingly, websites sanitizing inputs has been done for quite some time; it is hardly new, difficult, or complex. It's fundamental. I would guess most people's answer is that this is not a sufficient effort to protect privacy or security.
You could log data about the user (example by captaincrunch in their updated comment), directly modify the way the page looks (e.g. a fake virus alert page) or simply redirect the user to any site you want.
It's bad on a 'normal' site, but even worse here given their target market.
This is not a bug, you are just uninformed: a platform that allows anybody to use anybodys machine for anything is the final business model in web 2.0. Everybody in the startup world is getting crazy about this.
BTW google is doing it, Mickysoft and Apple is doing it - only difference is that they try to maintain exclusive customer access to these features, but it does not work out always.
hulbee entering the scene as an unrestricted distributed code execution platform freely available for anybody will change everything!
Is is not a bug, it is a feature (image search, that does not work too well).
When you place an IMG tag, it tries to find some results by that image (similar to Google's seach by image->URL).
Try using an invalid reference or IFRAME SRC.
Edit: I stand corrected. They do embed poorly-filtered request text into the results page.
You lost my interest when I saw an ad manager in your HTML source: adannonce.com. I'll stick with DuckDuckGo thanks. You can't be privacy focused when you're already giving away data to a 3rd party.
Surly you could have afforded a better certificate than a C+ graded GoDaddy one? Sure, its 2048 bit SSL, but that is quite the SSL chain for being privacy focused.
Offering advertising on a privacy focused search engine? Could work, but when you're marketing to privacy focused individuals, you've just lost them.
In the end, I'm from Canada, my connection routes through New York (like most North American connections). My privacy is still being abused by greater forces whom likely have at least one of the private keys for one of the many certificates that make up that GoDaddy certificate, so I'll likely just stick with Google, or perhaps even DuckDuckGo.
> You lost my interest when I saw an ad manager in your HTML source: adannonce.com
Are you aware that adannonce.com belongs to Hulbee? Loading ads from adannonce.com should not bother you more than loading ads from hulbee.com . And the fact that it contains ads is no secret.
Please do your research before crying wolf in future.
While an SSL certificate from GoDaddy is not ideal, attacks are still detectable in theory by verifying the public key of Hulbee independently of the chain of trust.
What I personally would be more concerned about is the fact that DuckDuckGo is hosted by Amazon. As an US company, Amazon is required to collaborate with US three letter agencies by law. Thus, whatever is hosted by Amazon is within reach of the NSA. In contrast, Hulbee is hosted in Switzerland on servers which are under physical control of Hulbee.
> Doesn't really matter where its hosted when most North American connections go through New York
Actually, it does matter. Https is end-to-end encryption. An eavesdropper in New York would have to crack SSL in order to see anything meaningful beyond the fact that you exchanged some data with hulbee.com .
If you used a CA certificate to sign a new SSL cert for any popular domain, it'd be detected by certificate fingerprinting and you'd burn the CA. Not worth it over public networks.
> Surly you could have afforded a better certificate than a C+ graded GoDaddy one
It really doesn't matter what the CA cert is (I mean the CA infrastructure itself is kind of weak coughdiginotarcough) - what should matter more is configuring the server and the key size of the certificate.
I should note it's not hard to get an A+ on the test - I run a small source code hosting service and I have an A+ result from ssllabs.
gitlab has an A-/A and github has an A/A+ (yes - they are 2 different scores based on different servers.
These sites `appear` to be exactly the same, I wonder what the difference is other than the design, branding and domain.
I've been using https://swisscows.ch for almost 6 months now.
and was sharing it with my friends and family. Even made it the default on a lot of devices from friends and family. No negative feedback so far!
I also shared it with you: https://news.ycombinator.com/item?id=9628904
So far there are only one two things that make me go back to google.com in rare occassions. On google "<search-term>" strictly gives me results with that term, that's appears not working similarly on hulbee/swisscows.
If only I could sort search results by date and `strip results older than x` I would have no more reason to "google".
What I really like about swisscows is the image and music search.
One questions bugs me: How does it work? I mean the results have the same and sometimes even higher quality than google. BIG +: No self-/government-/geo-censored results like on google/bing, I can find so called "illegal URLs" (links that don't appear on the big sites like DMCAed links and results for certain stopwords)
#bug: There is a bug on Firefox on Android in the image search. Clicking results opens a modal window with the resulting image below the viewable region. Screenshot: http://i.imgur.com/KClGfUO.png
I've once done an informal "research", comparing some of the worst software sweatshops that I know against companies such as SpaceX. The metric used was the number of references to "innovation" and "innovative".
The results were very interesting. Highly recommended.
No. It's just that the word "innovative" spoken by a company is the dead canary that tells you the company is so full of bullshit that the methane vapours are creating a fire hazard.
I've always thought that when a company tells you that their product has some quality like safety or quality, instead of showing it to you with their product, it's likely that that's the extent of that quality in their product: the declaration.
Looks like it gives almost the same results as DuckDuckGo -- which is to be expected given DDG also uses Bing and Yandex. I like it a lot less, though, with the animations and ad on the side of the screen.
Hulbee can correlate the words "mt everest" to "Nepal," but it can't give me the actual answer. That's weak for a engine that claims to be "the first intelligent answer engine because it is based on semantic information recognition and offers users intuitive help in their search for answers."
Of course it is possible. But the forces that work against it are incredibly powerful.
Consider this: If before Wikipedia existed someone proposed to create an online encyclopedia that anyone in the world could anonymously edit, that it be funded by donations and that it become the encyclopedia that most people refer to, nearly 100% of us would have rolled on the floor and laughed out loud.
It might not even be possible if Google, Bing, Yandex had TOS that required the use of their ads networks (negating the point of it being funded by donations).
I'm too bad of a typist to use this. Intending to search for xcworkspace I typed wcworkspace. Google gracefully corrects me. Hulbee stares at the blank wall of no results. I want to like it, but if you want to replace my entrenched tools you've got to start by matching their basic functionality.
I could have sworn it also had an option to only allow HTTPS connections with error as fallback. But I guess I saw that in some other add-on. Sorry for the false information!
Yes to both, but I meant a search engine that only gives results which, themselves, use https. Either a standalone search engine or as a DDG or Google query flag, e.g.,
Franky, I'm a fan of how those advertisements are tied into the site. Not flashy or obstructive, classy, embedded into the tile grid. No garbage tracking scripts loading, no plugins, just a simple colour image (from the same domain!!). If all ads were like that, I'd throw away my uMatrix and Adblock.
I use both in conjunction because AdBlock removes ads while simultaneously fixing the flow of the site, while uMatrix leaves gaps and holes in the site. But I need uMatrix to be safe from XSS (unfortunately, most websites include jQuery from a different domain, what a stupid practice). Also, uMatrix breaks a lot of sites (especially sites using content delivery networks on multiple domains) so if I really want to access the content, I open it in an incognito window and disable uMatrix temporarily on that site (it's tedious to figure out what exact request broke the site. I only do those manual exceptions for my most favourite sites). Like that, the site works but most of the tracking and the ads are still blocked ;)
Yes, it is sad that the state of the internet has degraded so much that this is necessary.
I ran adblock+noscript for many years for the same reason. Thats why I am suprised you would want to deal with two extensions when you could just use umatrix. What "flow" does adblock fix?
Like I said, I have had a similar setup for probably a decade now. So no, I don't think that it is a sad state of affairs that adblock/noscript/umartix are necessary. Did the "state of sexual intercourse" need to degrade to a certain level in order for condoms to be necessary?
No, I don't want the "Collapse placeholder of blocked elements" uMatrix option activated because then, if a website embeds e.g. youtube videos or soundcloud songs I have no visual cue of their existence, whereas, if the option is disabled, I see it greyed out with a link that I can click to watch it in a separate window. I feel like our discussion is at this point a clash of personal preferences and would not like to continue. Have a nice day :)
it's ironic that QUFB's (gp) specific complaint includes that the ad appears "regardless of search term", despite that this is maximally privacy-preserving: the only thing it gives away is that you came from the search engine.
He would be happier if ads were served that had some connection - no matter what - with search terms! (To an immediate loss of some theoretical privacy, which is true even if referral links are not sent, simply by virtue of campaigns having some connection to searches.)
You make it seem as if the reason for your DDG preference is self evident. What is the big difference to you? Is it that the first result's info box is so far to the right?
Less bloat, instant results, lack of images nobody asked for, and yes, it doesn't waste screen space by trying to fit into a narrow noodle to the middle of the screen.
I prefer Hulbee for its in my opinion more appealing design. In particular, I like that the search results are in the center of the screen and not on the left half.
https://hulbee.com/?query=perl%20-e%20'print%20%22%3CIMG%20S...
Edit: I had an example of displaying the IP address back to the user from my server, but it went over capacity in a few short minutes, so I took it down and removed the link. I am sure everyone gets the point, specially with a lot of the other examples provided by other HN users below.
Here is a screen shot for future reference: http://imgur.com/PkAGhqn