Re: [gnome.org #14530] HTTPS caching proxy for weather information



Andrea Veri via RT wrote:
On Wed Sep 17 18:43:32 2014, fpeters gnome org wrote:
Andrea Veri via RT wrote:

1. this is probably going to fix the problem half way as the
coordinates between the GNOME servers and the provider themselves
will still be unencrypted.

2. the only way to have the issue completely fixed would be looking
for providers offering TLS by default.

I believe this will nevertheless quite improve the situation as the
results can be cached.

We aren't discussing performance of the service on this ticket but
the security of it instead from what I've understood. Security
speaking this change won't improve the current situation at all, a
few questions:

Caching is not there for performance reasons but to disassociate the
user request from the request going to the weather services.


1. the city registered on the gnome-weather app (which might be
different from the real location of the user)

The cities, plural.


what it can't sniff:

1. the location of the home/flat of the user that made the request
2. the name / surname of the user

I honestly would be scared about someone being able to sniff my
name/surname/home address information but those details alone are
definitely useless as the sniffer can't build such combination of
details on its own. And can we even consider it a breach of the
privacy of our users? I honestly don't think so as the app itself
just provides the coordinate of a city, what else?

If you take my personal history as a user of gnome-weather, it's
possible for the weather provider (or any person in between, as it's
currently http) to create a trail of my various locations.  I would
much prefer to have HTTPS and a service policy assuring me there is no
data retention.


As an example:

"""The user is not safe even if you don't have geolocation. right now in the
GUADEC wifi I can sniff the traffic and see everyone's home/work coordinates.
Combined with some more data mining techniques I could attach this information
to individuals. This is no good."""

What data mining techniques are we talking about? probably the fact he personally knows certain people and 
might be able to guess the city foo is located in Italy or Germany?

I'm also CCIng him on this thread as he was the original bug reporter.

fwiw I don't see anybody in the CC.


        Fred


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]