[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
This bug was fixed in the package ubuntu-geoip - 1.0.2+14.04.20131125-0ubuntu2.16.04.1 --- ubuntu-geoip (1.0.2+14.04.20131125-0ubuntu2.16.04.1) xenial; urgency=medium [ Jim Campbell ] * Use https for geoip.ubuntu.com/lookup URL (LP: #1617535) -- Jim Campbell Fri, 16 Mar 2018 19:26:42 + ** Changed in: ubuntu-geoip (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Fix Released Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
** Tags removed: verification-needed verification-needed-xenial ** Tags added: verification-done verification-done-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Fix Committed Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
FWIW, we have the patch for Trusty, and I can test it, but I know that Trusty will reach EOL in less than four months. I will leave it at your discretion as to whether to go forward with the update for Trusty. Also, I thanked Brian for getting the Xenial update into Proposed, but forgot to thank Sebastian for his help, too. Thanks to both. : ) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Fix Committed Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
$ apt-cache policy geoclue-ubuntu-geoip geoclue-ubuntu-geoip: Installed: 1.0.2+14.04.20131125-0ubuntu2.16.04.1 Candidate: 1.0.2+14.04.20131125-0ubuntu2.16.04.1 Test #1 - Passed - URL includes https on first check $ gsettings get com.ubuntu.geoip geoip-url 'https://geoip.ubuntu.com/lookup' Test #2 - Passed - Reset the gsettings key & the URL value still includes https $ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url 'https://geoip.ubuntu.com/lookup' Test #3 - Passed - geoclue-examples application shows my correct location information -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Fix Committed Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Hi All - I can test this on Xenial tomorrow (Jan 23). I'll report back after testing. Thanks to Brian for getting the package into xenial-proposed. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Fix Committed Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Hello xtsbdu3reyrbrmroezob, or anyone else affected, Accepted ubuntu-geoip into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu- geoip/1.0.2+14.04.20131125-0ubuntu2.16.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Fix Committed Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Sorry for the delay, I didn't see the previous comments. I've sponsored to Xenial now, Artful is not supported anymore so marking that one as wontfix. Unsure it makes sense to do an upload to trusty at this point ** Changed in: ubuntu-geoip (Ubuntu Xenial) Status: Triaged => Fix Committed ** Description changed: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - + 1) Install patches / patched package + 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: +`$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` +`$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. + 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: +apt install geoclue-examples +and then geoclue-test-gui +. . . should show correct location information. + Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. - Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Fix Committed Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
** Changed in: ubuntu-geoip (Ubuntu Artful) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Might anyone be able to clarify what kinds of additional test cases (if any) are needed? If so, I would appreciate it. I'm making an attempt to be helpful in fixing this bug, but am a bit new to Canonical's internal processes in terms of what they expect to test / resolve these kinds of bugs. Any additional info / resources would be helpful. Thanks, -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Adding test case here: 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. If additional test cases / test case information is needed, please let me know. Thanks. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Unsubscribing the Ubuntu Sponsors Team for now, due to Sebastien's comment that more work needs to be done. Please resubscribe the Sponsors Team once adequate tests have been added. Thank you. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
There is still a need to figure out a testcase here before the SRU can be uploaded -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Include associated patch to fix this for Trusty. Please update package after associated packages for Artful and Xenial. ** Patch added: "One-line fix and associated changelog - Trusty" https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+attachment/5081722/+files/ubuntu_geoip_url_https_trusty.patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Include patch to set https geoip url for Xenial. Package should be updated after the related Artful package, but before the associated Trusty package. ** Patch added: "One-line fix and associated changelog - Xenial" https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+attachment/5081721/+files/ubuntu_geoip_url_https_xenial.patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Include associated patch for Artful. This package should be updated before packages for Trusty and Xenial, although I'm attaching all three patches at more or less the same time. ** Patch added: "One-line fix and associated changelog" https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+attachment/5081720/+files/ubuntu_geoip_url_https_artful.patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
This bug was fixed in the package ubuntu-geoip - 1.0.2+18.04.20180223-0ubuntu1 --- ubuntu-geoip (1.0.2+18.04.20180223-0ubuntu1) bionic; urgency=medium * Use https for geoip.ubuntu.com (LP: #1617535) -- Jeremy Bicha Fri, 23 Feb 2018 17:23:36 + ** Changed in: ubuntu-geoip (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
** Also affects: ubuntu-geoip (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: ubuntu-geoip (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: ubuntu-geoip (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: ubuntu-geoip (Ubuntu) Importance: Wishlist => Low ** Changed in: ubuntu-geoip (Ubuntu Trusty) Importance: Undecided => Low ** Changed in: ubuntu-geoip (Ubuntu Trusty) Status: New => Triaged ** Changed in: ubuntu-geoip (Ubuntu) Status: Confirmed => Fix Committed ** Changed in: ubuntu-geoip (Ubuntu Xenial) Importance: Undecided => Low ** Changed in: ubuntu-geoip (Ubuntu Xenial) Status: New => Triaged ** Changed in: ubuntu-geoip (Ubuntu Artful) Importance: Undecided => Low ** Changed in: ubuntu-geoip (Ubuntu Artful) Status: New => Triaged ** Description changed: - geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. - This can potentially be utilized by nation state adversaries to - compromise user privacy. This service is called multiple times per day - by the OS in order to track users. + Impact + -- + It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). + + Test Case + - + + Regression Potential + + As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. + + + Original Bug Report + --- + geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Committed Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
It appears as though the servers may have been updated to also serve this over https (previously, https didn't work at the Ubuntu geoip url), but the default value for desktops is to use the http value, and the defaults should be updated Current values: $ gsettings reset com.ubuntu.geoip geoip-url $ gsettings get com.ubuntu.geoip geoip-url 'http://geoip.ubuntu.com/lookup' Should show: $ gsettings reset com.ubuntu.geoip geoip-url $ gsettings get com.ubuntu.geoip geoip-url 'https://geoip.ubuntu.com/lookup' -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Committed Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Using the: $ gsettings set com.ubuntu.geoip geoip-url https://freegeoip.net/xml/ Appears to work well enough after initial testing. 1) $ gsettings set com.canonical.indicator.datetime show-auto-detected-location true shows my correct location 2) apt install geoclue-examples and then geoclue-test-gui . . . seems to show correct information, as well. The freegeoip service appears to be well-maintained. Perhaps this is a service that canonical / ubuntu could move to / could support, as well. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Confirmed Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
To reset the value to the ubuntu default: gsettings reset com.ubuntu.geoip geoip-url -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Confirmed Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
You can update to an alternate provider via: gsettings set com.ubuntu.geoip geoip-url https://freegeoip.net/xml/ and verify the setting via: gsettings get com.ubuntu.geoip geoip-url but I have not done extensive testing to see if this breaks anything. Assistance on this would be appreciated. You can either use the freegeoip service or use its code to host an instance yourself. I do not mean to vouch for their service in any way. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Confirmed Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
** Changed in: ubuntu-geoip (Ubuntu) Status: New => Confirmed ** Changed in: ubuntu-geoip (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Confirmed Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
I subscribed security team, it is unlikely that they get such messages if not subscribed :) ** Changed in: ubuntu-geoip (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: New Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
@jim no the ubuntu security team also did not respond regarding this issue. unfortunately, it is actually being abused by the great firewall of china to spy on ubuntu users within the border of china. from what we can tell, the ubuntu security team does not take nation state level issues very seriously, which is unfortunate, since google is one of the largest commercial users of ubuntu distro and they are the main target of nation states. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Any update to this bug? Seems that it would be adviseable to make the change to https for any services possible. The less unencrypted traffic over the web, the better. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Your SSH support bad crypto: arcfour arcfour128 arcfour256 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
You're SSH also appears exposed to Internet and vulnerable to Logjam, which is exploitable by NSA. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Your SSH support bad CBC mode: 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc rijndael-...@lysator.liu.se -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Your SSH support weak MAC: hmac-md5 hmac-md5-96 hmac-md5-96-...@openssh.com hmac-md5-...@openssh.com hmac-sha1-96 hmac-sha1-96-...@openssh.com -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
You're leaked inode number: 2261065 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
So, also, ummm yeah, you're also running and end-of-life and insecure version of ubuntu there too dude. ubuntu 13.04 (saucy) is NOT getting any security updates. Should someone exploit it remotely to make that point? ;) Ubuntu 13.10 EOL was July 2014. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Exactly. Say I am the NSA and you are connected to Tor. I know your EMAIL user agent like Thunderbird is leaking data in your mail header, like Time Zone data. I know you are connected to Tor and that I want to associate your IP to your email. I fiddle your Time Zone response data to something esoteric, check all the emails that came in over all Tor connections, and associate you with that connection. Yes. There are even more things you can do as well, like forcing an ETAG or Last-Modified header in order to track the client as it switched from one network to another, eg laptop moved from one insecure network to another. Further, there are surely unknown parsing vulnerabilities in the response data that you will only find out later. HTTPS , especially with HSTS and HPKP makes abusing such issues much harder. Let's Encrypt Everything with HTTPS. Unencrypted HTTP is dead. """ $ curl -s 'http://geoip.ubuntu.com' -D - | egrep '^(Last|ETag)' Last-Modified: Wed, 07 Sep 2011 05:58:25 GMT ETag: "228049-4-4ac53a1e14240" """ References: https://trac.torproject.org/projects/tor/ticket/6314 https://www.chromium.org/Home/chromium-security/client-identification- mechanisms#TOC-Cache-metadata:-ETag-and-Last-Modified https://mortoray.com/2015/05/11/how-http-cache-headers-betray-your- privacy/ https://letsencrypt.org/ ** Bug watch added: trac.torproject.org/projects/tor/ #6314 https://trac.torproject.org/projects/tor/ticket/6314 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Can you elaborate on what an adversary might do with this connection? The name itself will be leaked via DNS requests regardless of TLS use. The name itself may be leaked via SNI headers in a hypothetical HTTPS connection. I'm not yet familiar with the data actually transferred once connected, but my wildest speculation suggests that it's going to consist of e.g. a User-agent header from the client and the server's best guess of geographical area for the connecting IP address. It's hard to see what an adversary of even immense power could do with any information from this service. It's also hard to see what an adversary would do if modifying the data in-flight -- force an inconvenient time display in the menu bar perhaps? Thanks -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
** Information type changed from Private Security to Public Security ** Changed in: ubuntu-geoip (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Incomplete Bug description: geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp