** Also affects: ubuntu-geoip (Ubuntu Artful)
   Importance: Undecided
       Status: New

** Also affects: ubuntu-geoip (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: ubuntu-geoip (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: ubuntu-geoip (Ubuntu)
   Importance: Wishlist => Low

** Changed in: ubuntu-geoip (Ubuntu Trusty)
   Importance: Undecided => Low

** Changed in: ubuntu-geoip (Ubuntu Trusty)
       Status: New => Triaged

** Changed in: ubuntu-geoip (Ubuntu)
       Status: Confirmed => Fix Committed

** Changed in: ubuntu-geoip (Ubuntu Xenial)
   Importance: Undecided => Low

** Changed in: ubuntu-geoip (Ubuntu Xenial)
       Status: New => Triaged

** Changed in: ubuntu-geoip (Ubuntu Artful)
   Importance: Undecided => Low

** Changed in: ubuntu-geoip (Ubuntu Artful)
       Status: New => Triaged

** Description changed:

- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP.
- This can potentially be utilized by nation state adversaries to
- compromise user privacy. This service is called multiple times per day
- by the OS in order to track users.
+ Impact
+ ------
+ It's better to use https where we can. There were concerns about location 
leakage for users using a proxy (such as Tor).
+ 
+ Test Case
+ ---------
+ 
+ Regression Potential
+ --------------------
+ As long as Canonical maintains https://geoip.ubuntu.com, things should be 
fine here. Minimal fix.
+ 
+ 
+ Original Bug Report
+ -------------------
+ geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This 
can potentially be utilized by nation state adversaries to compromise user 
privacy. This service is called multiple times per day by the OS in order to 
track users.
  
  $ nc -zv geoip.ubuntu.com 80
  Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded!
  
  $ nc -zv -w 3 geoip.ubuntu.com 443
  nc: connect to geoip.ubuntu.com port 443 (tcp) timed out

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to ubuntu-geoip in Ubuntu.
https://bugs.launchpad.net/bugs/1617535

Title:
  geoip.ubuntu.com does not utilize HTTPS

Status in ubuntu-geoip package in Ubuntu:
  Fix Committed
Status in ubuntu-geoip source package in Trusty:
  Triaged
Status in ubuntu-geoip source package in Xenial:
  Triaged
Status in ubuntu-geoip source package in Artful:
  Triaged

Bug description:
  Impact
  ------
  It's better to use https where we can. There were concerns about location 
leakage for users using a proxy (such as Tor).

  Test Case
  ---------

  Regression Potential
  --------------------
  As long as Canonical maintains https://geoip.ubuntu.com, things should be 
fine here. Minimal fix.

  
  Original Bug Report
  -------------------
  geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This 
can potentially be utilized by nation state adversaries to compromise user 
privacy. This service is called multiple times per day by the OS in order to 
track users.

  $ nc -zv geoip.ubuntu.com 80
  Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded!

  $ nc -zv -w 3 geoip.ubuntu.com 443
  nc: connect to geoip.ubuntu.com port 443 (tcp) timed out

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to