[gnome.org #14530] HTTPS caching proxy for weather information

From: "Andrea Veri via RT" <support gnome org>
To: fpeters gnome org
Cc: gnome-infrastructure gnome org
Subject: [gnome.org #14530] HTTPS caching proxy for weather information
Date: Wed, 17 Sep 2014 18:23:33 +0000

On Wed Sep 17 15:56:57 2014, fpeters gnome org wrote:

Hello sysadmins!

gnome-weather currently leaks user information to weather providers
(noaa and yr.no), and it does that over http; details are available in
https://bugzilla.gnome.org/show_bug.cgi?id=734048.

In that bug report it was decided to disable the weather search
provider by default, so the leak would only happen when actively using
gnome-weather.

To go further I have now created another bug report, following a
suggestion the initial report:

So I think this bug can either be closed or kept open to track the
effort of trying to contact NOAA and yr.no asking for TLS or
implementing a GNOME hosted TLS proxy.


That's https://bugzilla.gnome.org/show_bug.cgi?id=736814.

So here I am, asking sysadmins how feasible it would be to have an
https caching proxy to noaa and yr.no.

I'll update the bug report with the RT ticket number once I get it.

After reading the bug report again I have a few remarks:

1. this is probably going to fix the problem half way as the coordinates between the GNOME servers and the
provider themselves will still be unencrypted.
2. the only way to have the issue completely fixed would be looking for providers offering TLS by default.
3. reverse proxying all the requests by having the GNOME proxies as intermediary machines will result in the
GNOME Sysadmin Team to be responsible for the whole set of information that are transmitted between the GNOME
servers and the providers themselves which is something we'd love not to do. As you may be aware we don't
have a privacy policy as of today and that makes things even harder.
4. Am I correct that the coordinates transmitted between the user pc and the provider are the ones of the
city the user can select from the app's menu and are not precisely referred to the user's home/work location?
if that's the case then the gnome-weather app is just going to transmit the coordinates of a specific city
and not the home/work location itself. (which would be the case for me to start worrying about my location
being sniffed, and additionally if someone is able to sniff my location it means it sits on the same network
as I do (like for the GUADEC example mentioned on the bug report [1]) and that just means that I know where
that person is already)

[1] https://bugzilla.gnome.org/show_bug.cgi?id=734048

--
Andrea,
GNOME Sysadmin
GNOME Accounts Team
GNOME Membership & Elections Committee Chairman

----------------------------------------------------
This message was sent via GNOME.org Request Tracker.

Follow-Ups:
- Re: [gnome.org #14530] HTTPS caching proxy for weather information
  - From: Frederic Peters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]