Where does the "_sm_byp" query parameter come from?

Discussion in 'privacy problems' started by gorhill, Apr 15, 2014.

Thread Status:
Not open for further replies.
  1. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    745
    Location:
    Canada
    If one search for "_sm_byp" in any search engine, quotes included, countless of unrelated URLs are returned, and they all features this query parameter:

    to-forum.png

    I have been unable to trace its origin. Anybody has an idea where it comes from?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
  3. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    745
    Location:
    Canada
    Actually this is because of this entry that I started trying to figure out what is this parameter. Somebody had answered it was my extension adding this parameter, which of course is nonsense (anybody can verify this, and anyways, my extension was released first last september 2013 and the question dates back february 2013). I asked on HN, and still no specific answer: https://news.ycombinator.com/item?id=7594477, aside that it appears to involve Google.
     
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    You'd have to elaborate on that before I could be sure we're on the same page. FWIW, I found all three messages in that thread helpful in terms of getting a picture, and that picture seemed consistent with https://serverfault.com/questions/417367/how-can-i-make-squid-provide-authentication-credentials-to-zscaler. Wish I had such a setup to play with. I'd like to see a bit more [recent], including what comes out the other side of the proxies. Wouldn't want to be a user though ;)

    Colon? In a filename?!
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    @TheWindBringeth

    I'm glad that you're getting a picture about "_sm_byp" :) Me, I'm still confused :(

    Who is adding that tag, do you think? Is it Google? What does it accomplish for them and/or their associates/clients? And what does it do on users' computers?

    Thanks :)
     
  8. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    @Sadeghi85

    Thanks :)

    OK, there's this company Zscaler and their "cloud solutions". But what are they doing that generates so many URLs with these tags?
     
  10. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    From @TheWindBringeth post #6 serverfault link:
    They do some kind of authentication with _sm_au_X in url which then will set a cookie. "_sm_byp" in url, probably bypasses that procedure.

    Kind of like Google's mod_pagespeed for Apache and "?Modpagespeed=noscript" bypass in url.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    In that example I linked to, you can see gateway.zscaler.net adding ?_sm_byp=XXXX to the original URL to form a 307 redirect with Location: http://www.addictinggames.com/?_sm_byp=XXXX. The connection with gateway.zscaler.net was HTTPS and tunneled through the local 10.70.0.10 proxy at the time that redirection response was returned to the curl client.

    The curl client then issued a request for http://www.addictinggames.com/?_sm_byp=XXXX which the local proxy processed without redirects. Looks to me as though it passed the request on (with or without the ?_sm_byp=XXXX we can't know) to the intended destination.

    Assuming logging was enabled in the local proxy, URLs that were processed in that way would be easily identified and could trigger an alert. The local proxy could, if so configured, easily block URLs processed in that way too.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,025
    OK, let's see if I get it.

    There's a client browser behind a web filter handled by Zscaler. It wants http://www.addictinggames.com/. The web filter decides that the URL is OK, and redirects, with "?_sm_byp=XXXX" added to the URL. Subsequently, said browser can access the modified URL without triggering the web filter.

    Is that correct?

    Is there a cookie involved? If so, where does it get created? In the client browser, or in the web filter?
     
Loading...
Thread Status:
Not open for further replies.