GNOME Bugzilla – Bug 736814
Weather app leaks user location data in clear-text
Last modified: 2020-05-22 13:14:50 UTC
From bug 734048:
> So I think this bug can either be closed or kept open to track the effort of
> trying to contact NOAA and yr.no asking for TLS or implementing a GNOME hosted
> TLS proxy.
The required proxy doesn't exist at the moment, a request has been made to the sysadmins.
It's now tracked as RT issue #14530.
I don't see how the proxy will solve all the problems. It will only ensure that the communication between the user and the other endpoint is encrypted. But between the proxy and the services, it will remain vulnerable to interception.
Surely we won't solve all problems in one go but in the case of this weather data we can often decorrelate the user->proxy request from the proxy->server request simply by caching responses for some time.
Do we have news on this one? Is the proxy available now?
(In reply to Giovanni Campagna from comment #4)
> Do we have news on this one?
This should have been titled “Weather app leaks user location data in clear-text”.
(In reply to Daniel Aleksandersen from comment #6)
> This should have been titled “Weather app leaks user location data in
I will change the title. That is the problem; using a proxy is only one possible solution.
Included a patch for using https://api.met.no instead of http://api.yr.no in bug #763175. I contacted the Norwegian Meteorological Institute and asked them to provide HTTPS for their API, and it only took them a month to set it up. So it does help to ask nicely! :-)
Sigh, another app that has not yet migrated bugs to GitLab....
I did a search for 'http' in the gnome-weather codebase and found zero relevant results. Safe to say this is really a libgweather bug...?
(In reply to Michael Catanzaro from comment #9)
> Sigh, another app that has not yet migrated bugs to GitLab....
It might be a better idea to do something about it using the powers of the release-team. There's really no reason left to not migrate.
> I did a search for 'http' in the gnome-weather codebase and found zero
> relevant results. Safe to say this is really a libgweather bug...?
The only thing that was still using an http URL, was the (usually disabled) "wx" radar provider, which didn't work anyway. So I removed it:
OK, closing this then.