[Group.of.nepali.translators] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
This bug was fixed in the package ubuntu-geoip - 1.0.2+14.04.20131125-0ubuntu2.16.04.1 --- ubuntu-geoip (1.0.2+14.04.20131125-0ubuntu2.16.04.1) xenial; urgency=medium [ Jim Campbell ] * Use https for geoip.ubuntu.com/lookup URL (LP: #1617535) -- Jim Campbell Fri, 16 Mar 2018 19:26:42 + ** Changed in: ubuntu-geoip (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Fix Released Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
** Changed in: ubuntu-geoip (Ubuntu Artful) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
This bug was fixed in the package ubuntu-geoip - 1.0.2+18.04.20180223-0ubuntu1 --- ubuntu-geoip (1.0.2+18.04.20180223-0ubuntu1) bionic; urgency=medium * Use https for geoip.ubuntu.com (LP: #1617535) -- Jeremy Bicha Fri, 23 Feb 2018 17:23:36 + ** Changed in: ubuntu-geoip (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Triaged Status in ubuntu-geoip source package in Artful: Triaged Bug description: Impact -- It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case - Regression Potential As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report --- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
