[Dev] Potential privacy violation in connman connection manager
Luke Shumaker
lukeshu at lukeshu.com
Sat Jun 17 06:08:08 GMT 2017
On Wed, 14 Jun 2017 18:00:38 -0400,
nospam at curso.re wrote:
> the connman[0] connection manager tries to detect whether an internet
> connection is available by installing a temporary route to
> ipv4.connman.net and ipv6.connman.net
>
> This is documented in the README[1] and mentioned in the Arch wiki[2].
>
> Although the official documentation claims that the remote servers do
> not log any connection information, nothing grants that this may change
> in the future.
>
> It is possible, however, to disable the online checks with a
> configuration setting in /etc/connman/main.conf as shown below.
>
> $ cat /etc/connman/main.conf
> [General]
> EnableOnlineCheck=false
>
> Should Paraboola ship a connman package with that setting since the
> default is to enable online checks?
It's a useful feature, and it does require a server-side. That's
unavoidable if you want to implement the feature. It isn't going
through your browser or leaking any data other than your IP. The only
information being leaked is "someone is using connman 1.23 at IP
$XXXX". That's not a notable privacy violation in my book.
I wouldn't be opposed to patching it to go to ipv{4,6}.parabola.nu or
something so that Parabola could ensure that the data isn't being
logged (the user would still need to trust us, but they're largely
doing that anyway by trusting our binaries). But none of our servers
are IPv6 right now. And I'm not really sure it's worth the effort,
given the tiny amount of information in the leak.
--
Happy hacking,
~ Luke Shumaker
More information about the Dev
mailing list