Bug 736814 – Weather app leaks user location data in clear-text

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 736814 - Weather app leaks user location data in clear-text


Summary:	Weather app leaks user location data in clear-text


Status:	RESOLVED WONTFIX

Product:	gnome-weather
Classification:	Applications
Component:	general
Version:	3.13.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME Weather Maintainer(s)
QA Contact:	GNOME Weather Maintainer(s)

URL:
Whiteboard:	safety

Depends on:
Blocks:

Reported:	2014-09-17 15:50 UTC by Frederic Peters
Modified:	2020-05-22 13:14 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Frederic Peters 2014-09-17 15:50:16 UTC

From bug 734048:

> So I think this bug can either be closed or kept open to track the effort of
> trying to contact NOAA and yr.no asking for TLS or implementing a GNOME hosted
> TLS proxy.

The required proxy doesn't exist at the moment, a request has been made to the sysadmins.

Comment 1 Frederic Peters 2014-09-17 15:57:59 UTC

It's now tracked as RT issue #14530.

Comment 2 Hubert Figuiere (:hub) 2015-01-18 16:50:23 UTC

I don't see how the proxy will solve all the problems. It will only ensure that the communication between the user and the other endpoint is encrypted. But between the proxy and the services, it will remain vulnerable to interception.

Comment 3 Frederic Peters 2015-01-18 17:29:00 UTC

Surely we won't solve all problems in one go but in the case of this weather data we can often decorrelate the user->proxy request from the proxy->server request simply by caching responses for some time.

Comment 4 Giovanni Campagna 2015-03-18 20:26:16 UTC

Do we have news on this one? Is the proxy available now?

Comment 5 Michael Catanzaro 2015-07-01 23:59:59 UTC

(In reply to Giovanni Campagna from comment #4)
> Do we have news on this one?

Comment 6 Daniel Aleksandersen 2016-02-01 07:51:50 UTC

This should have been titled “Weather app leaks user location data in clear-text”.

Comment 7 Michael Catanzaro 2016-02-01 18:56:43 UTC

(In reply to Daniel Aleksandersen from comment #6)
> This should have been titled “Weather app leaks user location data in
> clear-text”.

I will change the title. That is the problem; using a proxy is only one possible solution.

Comment 8 Daniel Aleksandersen 2016-03-06 14:21:49 UTC

Included a patch for using https://api.met.no instead of http://api.yr.no in bug #763175. I contacted the Norwegian Meteorological Institute and asked them to provide HTTPS for their API, and it only took them a month to set it up. So it does help to ask nicely! :-)

Comment 9 Michael Catanzaro 2020-03-30 19:44:10 UTC

Sigh, another app that has not yet migrated bugs to GitLab....

I did a search for 'http' in the gnome-weather codebase and found zero relevant results. Safe to say this is really a libgweather bug...?

Comment 10 Bastien Nocera 2020-04-06 12:17:24 UTC

(In reply to Michael Catanzaro from comment #9)
> Sigh, another app that has not yet migrated bugs to GitLab....

It might be a better idea to do something about it using the powers of the release-team. There's really no reason left to not migrate.

> I did a search for 'http' in the gnome-weather codebase and found zero
> relevant results. Safe to say this is really a libgweather bug...?

The only thing that was still using an http URL, was the (usually disabled) "wx" radar provider, which didn't work anyway. So I removed it:
https://gitlab.gnome.org/GNOME/libgweather/-/merge_requests/64

Comment 11 Michael Catanzaro 2020-05-22 13:14:50 UTC

OK, closing this then.