[gnome.org #14530] HTTPS caching proxy for weather information



On Wed Sep 17 15:56:57 2014, fpeters gnome org wrote:
Hello sysadmins!

gnome-weather currently leaks user information to weather providers
(noaa and yr.no), and it does that over http; details are available in
https://bugzilla.gnome.org/show_bug.cgi?id=734048.

In that bug report it was decided to disable the weather search
provider by default, so the leak would only happen when actively using
gnome-weather.

To go further I have now created another bug report, following a
suggestion the initial report:

So I think this bug can either be closed or kept open to track the
effort of trying to contact NOAA and yr.no asking for TLS or
implementing a GNOME hosted TLS proxy.

That's https://bugzilla.gnome.org/show_bug.cgi?id=736814.

So here I am, asking sysadmins how feasible it would be to have an
https caching proxy to noaa and yr.no.

I'll update the bug report with the RT ticket number once I get it.

After reading the bug report again I have a few remarks:

1. this is probably going to fix the problem half way as the coordinates between the GNOME servers and the 
provider themselves will still be unencrypted.
2. the only way to have the issue completely fixed would be looking for providers offering TLS by default.
3. reverse proxying all the requests by having the GNOME proxies as intermediary machines will result in the 
GNOME Sysadmin Team to be responsible for the whole set of information that are transmitted between the GNOME 
servers and the providers themselves which is something we'd love not to do. As you may be aware we don't 
have a privacy policy as of today and that makes things even harder.
4. Am I correct that the coordinates transmitted between the user pc and the provider are the ones of the 
city the user can select from the app's menu and are not precisely referred to the user's home/work location? 
if that's the case then the gnome-weather app is just going to transmit the coordinates of a specific city 
and not the home/work location itself. (which would be the case for me to start worrying about my location 
being sniffed, and additionally if someone is able to sniff my location it means it sits on the same network 
as I do (like for the GUADEC example mentioned on the bug report [1]) and that just means that I know where 
that person is already)

[1] https://bugzilla.gnome.org/show_bug.cgi?id=734048


-- 
Andrea,
GNOME Sysadmin
GNOME Accounts Team
GNOME Membership & Elections Committee Chairman


----------------------------------------------------
This message was sent via GNOME.org Request Tracker.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]