13962
Comment: typo
|
14124
add a git-remote-bzr data leak
|
Deletions are marked like this. | Additions are marked like this. |
Line 152: | Line 152: |
* git-remote-bzr (all implementations) - leaks the local git branch name into the "branch nick" field of commits, which could get pushed to a remote repository |
Contents
Privacy issues in Debian packages
Phone home
There are some common categories of phoning home:
These packages either don't fit those categories or do lots of them and more:
gnome-calculator - fetches currencies
Firefox - multiple issues
Chromium - phones home in various ways, e.g. 792580, binary blob downloads, site engagement profiles, Google login tied-in with the browser
syncthing - data transfer volume, unique ID submission, version check and lots more, public data report
cura - phones home in various ways, patched out in Debian.
- azure-cli - collects "anonymous" telemetry by default
Phone elsewhere
Connectivity
Some services need to know when system is "online". Best practice is to only rely on system services, optionally coupled with distro-specific public service like network-manager-config-connectivity-debian . An antipattern is to hardcode probing of a public service.
Packages determining connectivity by probing Apple website and Google DNS resolvers:
Packages determining connectivity by probing Google DNS resolvers:
DNS
Many network protocols need a nameserver. Best practice is to only rely on user input or system resolver. An antipattern is to hardcode one or more nameservers, either exclusively or as internal default.
Packages using Cloudflare and Freenom and Google DNS resolvers by default:
Packages using Cloudflare and Google DNS resolvers by default:
systemd - see "FallbackDNS" in systemd-resolved manpage, 923081, patched in Debian
Packages using Cloudflare and Google and Qaud9 DNS resolvers by default:
Packages using Google DNS resolvers by default:
Packages using Google and UncensoredDNS DNS resolvers by default:
Packages using Google and 77.88.39.152 DNS resolvers by default:
ICE
WebRTC and SIP and similar protocols need a public-accessible TUN/STUN/TURN service across public networks. Best practice is to only rely on local configuration. an antipattern is to hardcode public STUN services, either exclusively or as internal default.
Packages using Ekiga STUN resolvers by default:
Packages using Ekiga and GNUnet and Mozilla STUN resolvers by default:
Packages using Ekiga and SIPgate and Stuntman and more STUN resolvers by default:
Packages using Ekiga and SIPphone and Google and Stuntman and Xten and more STUN resolvers by default:
Packages using Google STUN resolvers by default:
Packages using Google and Stuntman STUN resolvers by default:
Packages using SIPgate and SIPphone STUN resolvers by default:
Packages using SIPphone STUN resolvers by default:
Packages using Stuntman STUN resolvers by default:
Packages using Xten STUN resolvers by default:
Data sharing
- remmina - shares the clipboard with remote hosts over RDP by default
- pidgin - shares typing notifications with remote peers by default
- hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports
- git-remote-bzr (all implementations) - leaks the local git branch name into the "branch nick" field of commits, which could get pushed to a remote repository
Data storage
- web and other servers of various kinds default to logging information about requests over the network from external entities
Detection tools
Reports
lintian privacy-breach tags: generic donation facebook google-adsense google-cse google-plus logo piwik statistics-website twitter uses-embedded-file w3c-valid-html
Issue categories
logging & verbose logging
- homephoning without user consent
- cleartext
- TLS
- featurebug: when a bug is also a feature
- privacy defaults
- optin
- optout
- traceability
- no deletion of config files when uninstalling a package