116
Comment: Initial draft.
|
2853
add nsntrace detection tool
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
<<TableOfContents>> |
|
Line 5: | Line 7: |
* gnome-calculator - fetches currencies when started | * gnome-calculator - [[https://gitlab.gnome.org/GNOME/gnome-calculator/issues/34|fetches currencies]] * Firefox - [[Firefox#Automatic_connections|multiple issues]] * Chromium - phones home in various ways, e.g. DebianBug:792580, [[https://lwn.net/Articles/648392/|binary blob downloads]], [[https://www.chromium.org/developers/design-documents/site-engagement|site engagement profiles]], [[https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/|Google login tied-in with the browser]] * DebianPackage:basex - phones home to find out the latest version == Phone elsewhere == * systemd - Uses Google DNS resolvers as internal default, not explicitly documented: See "FallbackDNS" in [[https://manpages.debian.org/stretch/systemd/resolved.conf.5.en.html|systemd-resolved manpage]] == Data sharing == * remmina - shares the clipboard with remote hosts over RDP by default * pidgin - shares typing notifications with remote peers by default == Data storage == * web and other servers of various kinds default to logging information about requests over the network from external entities = Detection tools = * DebianPackage:wireshark * [[https://github.com/evilsocket/opensnitch/|opensnitch]] * [[https://github.com/jonasdn/nsntrace/|nsntrace]] = Reports = * [[https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pabs@debian.org;tag=privacy|usertagged by pabs]] * [[https://debtags.debian.org/reports/facets/privacy|Debtags privacy facet]] * lintian privacy-breach tags: [[https://lintian.debian.org/tags/privacy-breach-generic.html|generic]] [[https://lintian.debian.org/tags/privacy-breach-donation.html|donation]] [[https://lintian.debian.org/tags/privacy-breach-facebook.html|facebook]] [[https://lintian.debian.org/tags/privacy-breach-google-adsense.html|google-adsense]] [[https://lintian.debian.org/tags/privacy-breach-google-cse.html|google-cse]] [[https://lintian.debian.org/tags/privacy-breach-google-plus.html|google-plus]] [[https://lintian.debian.org/tags/privacy-breach-logo.html|logo]] [[https://lintian.debian.org/tags/privacy-breach-piwik.html|piwik]] [[https://lintian.debian.org/tags/privacy-breach-statistics-website.html|statistics-website]] [[https://lintian.debian.org/tags/privacy-breach-twitter.html|twitter]] [[https://lintian.debian.org/tags/privacy-breach-uses-embedded-file.html|uses-embedded-file]] [[https://lintian.debian.org/tags/privacy-breach-w3c-valid-html.html|w3c-valid-html]] = Issue categories = * logging & verbose logging * homephoning without user consent * cleartext * TLS * featurebug: when a bug is also a feature * privacy defaults * optin * optout * traceability * no deletion of config files when uninstalling a package |
Contents
Privacy issues in Debian packages
Phone home
gnome-calculator - fetches currencies
Firefox - multiple issues
Chromium - phones home in various ways, e.g. 792580, binary blob downloads, site engagement profiles, Google login tied-in with the browser
basex - phones home to find out the latest version
Phone elsewhere
systemd - Uses Google DNS resolvers as internal default, not explicitly documented: See "FallbackDNS" in systemd-resolved manpage
Data sharing
- remmina - shares the clipboard with remote hosts over RDP by default
- pidgin - shares typing notifications with remote peers by default
Data storage
- web and other servers of various kinds default to logging information about requests over the network from external entities
Detection tools
Reports
lintian privacy-breach tags: generic donation facebook google-adsense google-cse google-plus logo piwik statistics-website twitter uses-embedded-file w3c-valid-html
Issue categories
logging & verbose logging
- homephoning without user consent
- cleartext
- TLS
- featurebug: when a bug is also a feature
- privacy defaults
- optin
- optout
- traceability
- no deletion of config files when uninstalling a package