[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS
Simon Quigley
tsimonq2 at ubuntu.com
Sun Apr 15 04:49:26 UTC 2018
Unsubscribing the Ubuntu Sponsors Team for now, due to Sebastien's
comment that more work needs to be done.
Please resubscribe the Sponsors Team once adequate tests have been
added.
Thank you.
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1617535
Title:
geoip.ubuntu.com does not utilize HTTPS
Status in ubuntu-geoip package in Ubuntu:
Fix Released
Status in ubuntu-geoip source package in Trusty:
Triaged
Status in ubuntu-geoip source package in Xenial:
Triaged
Status in ubuntu-geoip source package in Artful:
Triaged
Bug description:
Impact
------
It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor).
Test Case
---------
Regression Potential
--------------------
As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix.
Original Bug Report
-------------------
geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users.
$ nc -zv geoip.ubuntu.com 80
Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded!
$ nc -zv -w 3 geoip.ubuntu.com 443
nc: connect to geoip.ubuntu.com port 443 (tcp) timed out
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions
More information about the Ubuntu-sponsors
mailing list