[Bug 1617535] [NEW] geoip.ubuntu.com does not utilize HTTPS
Launchpad Bug Tracker
1617535 at bugs.launchpad.net
Fri Mar 16 20:08:38 UTC 2018
*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Jim Campbell (jwcampbell):
Impact
------
It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor).
Test Case
---------
Regression Potential
--------------------
As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix.
Original Bug Report
-------------------
geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users.
$ nc -zv geoip.ubuntu.com 80
Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded!
$ nc -zv -w 3 geoip.ubuntu.com 443
nc: connect to geoip.ubuntu.com port 443 (tcp) timed out
** Affects: ubuntu-geoip (Ubuntu)
Importance: Low
Status: Fix Released
** Affects: ubuntu-geoip (Ubuntu Trusty)
Importance: Low
Status: Triaged
** Affects: ubuntu-geoip (Ubuntu Xenial)
Importance: Low
Status: Triaged
** Affects: ubuntu-geoip (Ubuntu Artful)
Importance: Low
Status: Triaged
--
geoip.ubuntu.com does not utilize HTTPS
https://bugs.launchpad.net/bugs/1617535
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.
More information about the Ubuntu-sponsors
mailing list