[bug #57847] Internet connection opened without user consent by msginit

bug-gettext

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #57847] Internet connection opened without user consent by msginit

From:	Bruno Haible
Subject:	[bug #57847] Internet connection opened without user consent by msginit
Date:	Sun, 23 Feb 2020 13:20:24 -0500 (EST)
User-agent:	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0

Update of bug #57847 (project gettext):

                Category:                    None => Translator tools       
                  Status:                    None => Not a Bug              
             Assigned to:                    None => haible                 
             Open/Closed:                    Open => Closed                 

    _______________________________________________________

Follow-up Comment #1:

Nearly no sensitive data is transmitted:
- It's a fixed URL,
- No personal data (user name, gettext domain, language, ...) is included.

Only the User-Agent string contains unnecessary data; for this I've filed a
bug report: bug #57884

See the attached files get-from-msginit-unencrypted-via-java.png and
get-from-msginit-unencrypted-via-wget.png .

Before release 0.20, msginit used http; since release 0.20 it uses https. In
this case, someone who snoops on the connection can only see a connection to
translationproject.org happening from a non-browser environment. Only the
translationproject.org site will get the User-Agent string information. But
translationproject.org is a site we trust (since it holds the PO files for the
packages).

I do agree that it is a good idea to ask the user before making internet
requests that contain the hash sums of media files (VLC or QNAP do this) or
other personal data. But here, no personal data is transferred.

Also the amount of data that is transmitted (in both directions) is small (<
50 KB) and therefore will not cause high costs over a mobile phone
connection.

Therefore, asking the user in this case would be overkill.

Paranoid people can disconnect their machine from the internet or install a
system-wide permission-to-connect system (pihole or such).

(file #48484, file #48485, file #48486)
    _______________________________________________________

Additional Item Attachment:

File name: get-from-msginit-unencrypted-via-java.png Size:25 KB
   
<https://savannah.gnu.org/file/get-from-msginit-unencrypted-via-java.png?file_id=48484>

File name: get-from-msginit-unencrypted-via-wget.png Size:23 KB
   
<https://savannah.gnu.org/file/get-from-msginit-unencrypted-via-wget.png?file_id=48485>

File name: get-from-msginit-encrypted.png Size:20 KB
   
<https://savannah.gnu.org/file/get-from-msginit-encrypted.png?file_id=48486>



    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?57847>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #57847] Internet connection opened without user consent by msginit, Guido Flohr, 2020/02/18
- [bug #57847] Internet connection opened without user consent by msginit, Bruno Haible <=
  - [bug #57847] Internet connection opened without user consent by msginit, Bruno Haible, 2020/02/23

Prev by Date: [bug #57848] team-address does not report the team address being found
Next by Date: [bug #57847] Internet connection opened without user consent by msginit
Previous by thread: [bug #57847] Internet connection opened without user consent by msginit
Next by thread: [bug #57847] Internet connection opened without user consent by msginit
Index(es):
- Date
- Thread