Sorry for the delay, I didn't see the previous comments. I've sponsored to Xenial now, Artful is not supported anymore so marking that one as wontfix. Unsure it makes sense to do an upload to trusty at this point
** Changed in: ubuntu-geoip (Ubuntu Xenial) Status: Triaged => Fix Committed ** Description changed: Impact ------ It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case --------- + 1) Install patches / patched package + 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: + `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` + `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. + 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: + apt install geoclue-examples + and then geoclue-test-gui + . . . should show correct location information. + Regression Potential -------------------- As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. - Original Bug Report ------------------- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs