After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 734048 - gnome-weather leaks information of your saved locations in cleartext when not using the app
gnome-weather leaks information of your saved locations in cleartext when not...
Status: RESOLVED FIXED
Product: gnome-weather
Classification: Applications
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: GNOME Weather Maintainer(s)
GNOME Weather Maintainer(s)
Depends on: 734108 734109 734110
Blocks:
 
 
Reported: 2014-07-31 14:59 UTC by Elad Alfassa
Modified: 2014-09-17 15:50 UTC
See Also:
GNOME target: 3.14
GNOME version: ---


Attachments
Disable the search provider by default (1.01 KB, patch)
2014-08-01 11:38 UTC, Giovanni Campagna
committed Details | Review

Description Elad Alfassa 2014-07-31 14:59:29 UTC
gnome-weather leaks information of your saved locations in cleartext when not using the app.

It leaks the nearest weather station to NOAA (on cleartext) and the GPS coordinates to yr.no. If you have location information, it might also leak your current location. This is sensitive, private and uniquely identifying information.

This kind of data should not be transferred in cleartext, but more importantly I don't expect this data to leak when I'm not actively using the app.
Comment 1 Giovanni Campagna 2014-07-31 15:11:17 UTC
If the app is not running, we don't do any geolocation (at least in master).
If the app is running and automatic location is disabled, we won't send the coordinates of the current location (at least, this will be the case when the new design lands).
Finally, if you are really concerned, you can disable geolocation globally.

I'm afraid neither yr.no nor NOAA use TLS, if that's your problem, so I don't know how to solve this...
Comment 2 Elad Alfassa 2014-07-31 15:22:13 UTC
GNOME would need to set up a TLS proxy or something, I guess.

Sending the locations you care about (the combination of thereof could be uniquely identifying) over cleartext is really bad. Can gnome-weather avoid doing this until we have a TLS proxy?
Comment 3 Elad Alfassa 2014-07-31 15:24:49 UTC
(When I say avoid doing that, I mean avoid doing it when the app is not running)
Comment 4 Giovanni Campagna 2014-07-31 15:27:39 UTC
Again, there is no geolocation running if you don't run the app.
We do pull the weather forecast for stored locations in background, but you can disable that from the Search panel.

If you want a TLS proxy (something I don't think it's strictly necessary, given that you can just configure a couple of cities around the world and make the data worthless), you'll need to convince the Infrastructure team to provide one.
Comment 5 Elad Alfassa 2014-07-31 15:35:16 UTC
> Again, there is no geolocation running if you don't run the app.
> We do pull the weather forecast for stored locations in background, but you can
> disable that from the Search panel.

That is very unclear from a UX perspective. A user who have the search provider enabled will not expect Weather to leak private information while not using the app.

> given that you can just configure a couple of cities around the world and make the data worthless

It's not a solution. The data will still identify you.

>you'll need to convince the Infrastructure team to provide
one.

Working on it.
Comment 6 Giovanni Campagna 2014-07-31 15:38:58 UTC
(In reply to comment #5)
> > Again, there is no geolocation running if you don't run the app.
> > We do pull the weather forecast for stored locations in background, but you can
> > disable that from the Search panel.
> 
> That is very unclear from a UX perspective. A user who have the search provider
> enabled will not expect Weather to leak private information while not using the
> app.

A user who has the weather search provider enabled will expect Weather to periodically check the weather for a set of configured locations. There is no way around that...
Comment 7 Elad Alfassa 2014-07-31 15:46:27 UTC
No, that is wrong.

1) Weather is configured to do this by default without telling the user
2) Users are not familiar with the implementation details of the search provider
Comment 8 Giovanni Campagna 2014-07-31 15:53:26 UTC
They can look at the shell indicator: if there is no geoclue icon there is no geolocation going on and they are safe.
The fact that forecast is retrieved from the internet is an implementation detail of course, but it's one that is very reasonable to assume: I don't think anyone would believe gnome-weather makes data out of thin air.
We need to retrieve that from somewhere, in order to show it to the user, it's the whole point of the application.

Besides, TLS proxies and anonymizers exists already and can be configured system-wide for extra safety, without involving GNOME Infra.
Comment 9 Elad Alfassa 2014-07-31 16:02:54 UTC
The user is not safe even if you don't have geolocation. right now in the GUADEC wifi I can sniff the traffic and see everyone's home/work coordinates. Combined with some more data mining techniques I could attach this information to individuals. This is no good.

> I don't think anyone would believe gnome-weather makes data out of thin air.

Of course not, but gnome-weather is INSTALLED BY DEFAULT and the search provider is ENABLED BY DEFAULT. I never consented to gnome-weather leaking my home location over the internet WHEN I'M NOT ACTIVELY USING IT.

> Besides, TLS proxies and anonymizers exists already and can be configured
system-wide for extra safety,

The idea is to make gnome safer by default.
Comment 10 Giovanni Campagna 2014-08-01 11:08:18 UTC
Ok, let's turn this bug into an actionable plan

1) We will use TLS whenever available. Currently this is never, but if GNOME (or some other trusted agent) will provide a TLS proxy we will happily use it.

2) We will disable the Weather search provider by default. This is a little convoluted because it needs changes in the search infrastructure in the shell, but it's all fixable for 3.14.

Is that enough for you?
Comment 11 Giovanni Campagna 2014-08-01 11:38:59 UTC
Created attachment 282249 [details] [review]
Disable the search provider by default

The weather search provider has privacy implications because
it broadcasts the current and stored locations over unsafe channels,
so don't enable it by default.
Comment 12 Giovanni Campagna 2014-09-14 17:45:57 UTC
Comment on attachment 282249 [details] [review]
Disable the search provider by default

This was committed a while ago, is there anything else we can do here?
Comment 13 Elad Alfassa 2014-09-17 13:47:15 UTC
Hey,

I don't think we can do anything more for 3.14. Our only two other options are to try to contact the API providers asking them for TLS or to have gnome host a TLS proxy for this API. Both of these are unlikely to happen.

So I think this bug can either be closed or kept open to track the effort of trying to contact NOAA and yr.no asking for TLS or implementing a GNOME hosted TLS proxy.
Comment 14 Frederic Peters 2014-09-17 15:50:57 UTC
I created bug 736814 to use a gnome proxy, once available; so this bug can now be closed.