[gnome.org #14530] HTTPS caching proxy for weather information

From: "Andrea Veri via RT" <support gnome org>
To: fpeters gnome org
Cc: gnome-infrastructure gnome org
Subject: [gnome.org #14530] HTTPS caching proxy for weather information
Date: Wed, 17 Sep 2014 19:53:15 +0000

On Wed Sep 17 18:43:32 2014, fpeters gnome org wrote:

Andrea Veri via RT wrote:

1. this is probably going to fix the problem half way as the
coordinates between the GNOME servers and the provider themselves
will still be unencrypted.

2. the only way to have the issue completely fixed would be looking
for providers offering TLS by default.


I believe this will nevertheless quite improve the situation as the
results can be cached.


We aren't discussing performance of the service on this ticket but the security of it instead from what I've 
understood. Security speaking this change won't improve the current situation at all, a few questions:

if that's the case then the gnome-weather app is
just going to transmit the coordinates of a specific city and not
the home/work location itself. (which would be the case for me to
start worrying about my location being sniffed, and additionally if
someone is able to sniff my location it means it sits on the same
network as I do (like for the GUADEC example mentioned on the bug
report [1]) and that just means that I know where that person is
already)


You would sniff the locations that have been set, most likely this
will not contain only the GUADEC host city, but also the user home
town or previous holiday spot (to use an example from the locations I
have in mine).

Yes, so the location of the town will be sniffed and not the location of the house / flat the user really
resides so from my understanding the sniffer can eavesdrop the following details:

1. the city registered on the gnome-weather app (which might be different from the real location of the user)

what it can't sniff:

1. the location of the home/flat of the user that made the request
2. the name / surname of the user

I honestly would be scared about someone being able to sniff my name/surname/home address information but
those details alone are definitely useless as the sniffer can't build such combination of details on its own.
And can we even consider it a breach of the privacy of our users? I honestly don't think so as the app itself
just provides the coordinate of a city, what else?

As an example:

"""The user is not safe even if you don't have geolocation. right now in the
GUADEC wifi I can sniff the traffic and see everyone's home/work coordinates.
Combined with some more data mining techniques I could attach this information
to individuals. This is no good."""

What data mining techniques are we talking about? probably the fact he personally knows certain people and
might be able to guess the city foo is located in Italy or Germany?

I'm also CCIng him on this thread as he was the original bug reporter.

cheers,

--
Andrea,
GNOME Sysadmin
GNOME Accounts Team
GNOME Membership & Elections Committee Chairman

----------------------------------------------------
This message was sent via GNOME.org Request Tracker.

Follow-Ups:
- Re: [gnome.org #14530] HTTPS caching proxy for weather information
  - From: Frederic Peters

References:
- [gnome.org #14530] HTTPS caching proxy for weather information
  - From: Andrea Veri via RT
- Re: [gnome.org #14530] HTTPS caching proxy for weather information
  - From: Frederic Peters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]