Safety of http requests via Zotero Connector and "Add item(s) by Identifier"

kodai.fukumoto
I would like to know safety of http requests for retrieving article metadata during the "Save to Zotero" process by Zotero Connector and the "Add item(s) by Identifier" process in the Zotero desktop app. I read the Zotero security and the privacy policy documents, and understood that data provoked by the use of the application are safely managed. However, I have a security concern for retrieving metadata. I briefly read README.md of Zotero Connector and knew http (as far as I know, not encrypted) requests are used for interaction. I am worried that someone can know what articles we request and read. The information is important for legal entities which have research projects not yet published. This is my concern; but I am not a web engineer and not familiar with methods including http. Thus, I would like to know the safety relating to what article data are retrieved. Thank you. (non-native)
  • dstillman
    I briefly read README.md of Zotero Connector and knew http (as far as I know, not encrypted) requests are used for interaction.
    No, that's only to talk to the local Zotero app. Local HTTP communication on a system is always unencrypted. There's no security risk there.

    For Add Item by Identifier, almost everything uses HTTPS, with one notable exception: the Library of Congress ISBN lookup service, which unfortunately seems to still be available only via HTTP. (Years ago I asked someone who works there whether they might make that available via HTTPS, but it never happened.) It's possible LoC has a newer API that we could switch to — someone here might know better. We'd certainly switch to HTTPS if it were possible.

    But in the meantime, the only concern in terms of unencrypted HTTP would be that lookup requests for ISBNs would be visible if someone were monitoring your network connection.
  • kodai.fukumoto
    Thank you very much for correcting my misunderstanding and providing valuable information about HTTP in the lookup service. I understood that local HTTP communication within local Zotero app are safe and only HTTP is available for the Library of Congress ISBN look up service. If possible, let me check if I understood correctly:
    (Safe) Retrieving metadata via Zotero Connector;
    (Safe) Add Item by Identifier using DOI or PMID in local Zotero app;
    (Risky) Add Item by Identifier using ISBN in local Zotero app.
    Are these understandings correct?
  • adamsmith
    That depends on what you mean by "Risky" -- as dstillman says, the only risk is that someone who is already intercepting your web traffic would be able to tell which ISBNs you're looking up (and that you're using Zotero). As internet risks go, that would seem to be fairly low on the scale of things to worry about, but YMMV.
  • adamsmith
    It's possible LoC has a newer API that we could switch to — someone here might know better.
    I doubt it. SRU is already supposed to be the next-gen general API, so likely no (and there's nothing about the service that doesn't allow https: K10+'s SRU is https, e.g.)
  • kodai.fukumoto
    I got that adding item by ISBN has the limited risk that trackers who are already intercepting me would be able to know what ISBNs I am looking up. I really appreciate your help!
  • dstillman
    I've reached out again to our contact at Library of Congress to see if there's any chance of getting an HTTPS endpoint for that API.
  • dstillman
    Finally heard back that LC added an HTTPS SRU endpoint, so we've now switched to that.
Sign In or Register to comment.