[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

Thu, 17 Jan 2019 02:15:34 -0800 

Sorry for the delay, I didn't see the previous comments. I've sponsored
to Xenial now, Artful is not supported anymore so marking that one as
wontfix. Unsure it makes sense to do an upload to trusty at this point

** Changed in: ubuntu-geoip (Ubuntu Xenial)
       Status: Triaged => Fix Committed

** Description changed:

  Impact
  ------
  It's better to use https where we can. There were concerns about location 
leakage for users using a proxy (such as Tor).
  
  Test Case
  ---------
  
+ 1) Install patches / patched package
+ 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that 
this value is set as the default:
+    `$ gsettings get com.ubuntu.geoip geoip-url` should display 
`https://geoip.ubuntu.com/lookup`
+    `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get 
com.ubuntu.geoip geoip-url` should continue to display 
`https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is 
set as the default.
+ 3) Confirm that the the correct location is being retrieved by the Ubuntu 
geoip service:
+    apt install geoclue-examples
+    and then geoclue-test-gui
+    . . . should show correct location information.
+ 
  Regression Potential
  --------------------
  As long as Canonical maintains https://geoip.ubuntu.com, things should be 
fine here. Minimal fix.
- 
  
  Original Bug Report
  -------------------
  geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This 
can potentially be utilized by nation state adversaries to compromise user 
privacy. This service is called multiple times per day by the OS in order to 
track users.
  
  $ nc -zv geoip.ubuntu.com 80
  Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded!
  
  $ nc -zv -w 3 geoip.ubuntu.com 443
  nc: connect to geoip.ubuntu.com port 443 (tcp) timed out

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1617535

Title:
  geoip.ubuntu.com does not utilize HTTPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to