On Wed Sep 17 15:56:57 2014, [email protected] wrote: > Hello sysadmins! > > gnome-weather currently leaks user information to weather providers > (noaa and yr.no), and it does that over http; details are available in > https://bugzilla.gnome.org/show_bug.cgi?id=734048. > > In that bug report it was decided to disable the weather search > provider by default, so the leak would only happen when actively using > gnome-weather. > > To go further I have now created another bug report, following a > suggestion the initial report: > > > So I think this bug can either be closed or kept open to track the > > effort of trying to contact NOAA and yr.no asking for TLS or > > implementing a GNOME hosted TLS proxy. > > That's https://bugzilla.gnome.org/show_bug.cgi?id=736814. > > So here I am, asking sysadmins how feasible it would be to have an > https caching proxy to noaa and yr.no. > > I'll update the bug report with the RT ticket number once I get it.
After reading the bug report again I have a few remarks: 1. this is probably going to fix the problem half way as the coordinates between the GNOME servers and the provider themselves will still be unencrypted. 2. the only way to have the issue completely fixed would be looking for providers offering TLS by default. 3. reverse proxying all the requests by having the GNOME proxies as intermediary machines will result in the GNOME Sysadmin Team to be responsible for the whole set of information that are transmitted between the GNOME servers and the providers themselves which is something we'd love not to do. As you may be aware we don't have a privacy policy as of today and that makes things even harder. 4. Am I correct that the coordinates transmitted between the user pc and the provider are the ones of the city the user can select from the app's menu and are not precisely referred to the user's home/work location? if that's the case then the gnome-weather app is just going to transmit the coordinates of a specific city and not the home/work location itself. (which would be the case for me to start worrying about my location being sniffed, and additionally if someone is able to sniff my location it means it sits on the same network as I do (like for the GUADEC example mentioned on the bug report [1]) and that just means that I know where that person is already) [1] https://bugzilla.gnome.org/show_bug.cgi?id=734048 -- Andrea, GNOME Sysadmin GNOME Accounts Team GNOME Membership & Elections Committee Chairman ---------------------------------------------------- This message was sent via GNOME.org Request Tracker. _______________________________________________ gnome-infrastructure mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
