Bug 736814 – Weather app leaks user location data in clear-text

Bug 736814 - Weather app leaks user location data in clear-text


Summary:	Weather app leaks user location data in clear-text

Status:	NEW

Product:	gnome-weather
Classification:	Applications
Component:	general
Version:	3.13.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME Weather Maintainer(s)
QA Contact:	GNOME Weather Maintainer(s)

URL:
Whiteboard:	safety
Keywords:

Depends on:
Blocks:
	Show dependency tree

Reported:	2014-09-17 15:50 UTC by Frederic Peters
Modified:	2016-03-06 14:21 UTC (History)
CC List:	7 users (show)

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Frederic Peters 2014-09-17 15:50:16 UTC

From bug 734048:

> So I think this bug can either be closed or kept open to track the effort of
> trying to contact NOAA and yr.no asking for TLS or implementing a GNOME hosted
> TLS proxy.

The required proxy doesn't exist at the moment, a request has been made to the sysadmins.

Comment 1 Frederic Peters 2014-09-17 15:57:59 UTC

It's now tracked as RT issue #14530.

Comment 2 Hubert Figuiere (:hub) 2015-01-18 16:50:23 UTC

I don't see how the proxy will solve all the problems. It will only ensure that the communication between the user and the other endpoint is encrypted. But between the proxy and the services, it will remain vulnerable to interception.

Comment 3 Frederic Peters 2015-01-18 17:29:00 UTC

Surely we won't solve all problems in one go but in the case of this weather data we can often decorrelate the user->proxy request from the proxy->server request simply by caching responses for some time.

Comment 4 Giovanni Campagna 2015-03-18 20:26:16 UTC

Do we have news on this one? Is the proxy available now?

Comment 5 Michael Catanzaro 2015-07-01 23:59:59 UTC

(In reply to Giovanni Campagna from comment #4)
> Do we have news on this one?

Comment 6 Daniel Aleksandersen 2016-02-01 07:51:50 UTC

This should have been titled “Weather app leaks user location data in clear-text”.

Comment 7 Michael Catanzaro 2016-02-01 18:56:43 UTC

(In reply to Daniel Aleksandersen from comment #6)
> This should have been titled “Weather app leaks user location data in
> clear-text”.

I will change the title. That is the problem; using a proxy is only one possible solution.

Comment 8 Daniel Aleksandersen 2016-03-06 14:21:49 UTC

Included a patch for using https://api.met.no instead of http://api.yr.no in bug #763175. I contacted the Norwegian Meteorological Institute and asked them to provide HTTPS for their API, and it only took them a month to set it up. So it does help to ask nicely! :-)

Note You need to log in before you can comment on or make changes to this bug.