Andrea Veri via RT wrote:
> On Wed Sep 17 18:43:32 2014, [email protected] wrote:
> > Andrea Veri via RT wrote:
> >
> > > 1. this is probably going to fix the problem half way as the
> > > coordinates between the GNOME servers and the provider themselves
> > > will still be unencrypted.
> > >
> > > 2. the only way to have the issue completely fixed would be looking
> > > for providers offering TLS by default.
> >
> > I believe this will nevertheless quite improve the situation as the
> > results can be cached.
>
> We aren't discussing performance of the service on this ticket but
> the security of it instead from what I've understood. Security
> speaking this change won't improve the current situation at all, a
> few questions:
Caching is not there for performance reasons but to disassociate the
user request from the request going to the weather services.
> 1. the city registered on the gnome-weather app (which might be
> different from the real location of the user)
The cities, plural.
> what it can't sniff:
>
> 1. the location of the home/flat of the user that made the request
> 2. the name / surname of the user
>
> I honestly would be scared about someone being able to sniff my
> name/surname/home address information but those details alone are
> definitely useless as the sniffer can't build such combination of
> details on its own. And can we even consider it a breach of the
> privacy of our users? I honestly don't think so as the app itself
> just provides the coordinate of a city, what else?
If you take my personal history as a user of gnome-weather, it's
possible for the weather provider (or any person in between, as it's
currently http) to create a trail of my various locations. I would
much prefer to have HTTPS and a service policy assuring me there is no
data retention.
> As an example:
>
> """The user is not safe even if you don't have geolocation. right now in the
> GUADEC wifi I can sniff the traffic and see everyone's home/work coordinates.
> Combined with some more data mining techniques I could attach this information
> to individuals. This is no good."""
>
> What data mining techniques are we talking about? probably the fact he
> personally knows certain people and might be able to guess the city foo is
> located in Italy or Germany?
>
> I'm also CCIng him on this thread as he was the original bug reporter.
fwiw I don't see anybody in the CC.
Fred
_______________________________________________
gnome-infrastructure mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/gnome-infrastructure
