Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 07 Oct 2014 12:33:14 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        Assign a CVE Identifier <cve-assign@...re.org>
Subject: Discussion: information leakage from server and client software -
 CVE/hardening/other?

So I was looking at Firefox and noticed on Fedora it has the Health
check and crash reporter enabled by default, meaning that if Fedora
crashes a bunch of information gets sent back to Mozilla (I assume), I
don't know if the UI/etc pops up and lets you see what is being sent and
so on, on RHEL the crash reporter appears to be disabled by default.

Also having looked at spamassassin (which has a component to retrieve
and update rules) and clamav (which has freshclam to update the AV DB)
both of these explicitly disable the updates, you must manually enable them.

Then I see this:
http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html
which is rather timely.

So we have a continuum, at one end we have programs that explicitly make
you configure them before they'll connect out, and on the other end we
have apps that connect out whether or not you want them to (and being
closed source on locked down hardware you probably have little to no
choice in the matter).

Additionally we have the type of information and expectations, e.g. if I
enable ntp or chrony I expect it to make outgoing connections to the NTP
servers, which may be semi random if using the ntp.org pool servers. If
I fire up a web browser and point it at openwall.com I expect traffic to
go there and any ad networks/etc, I may not be expecting it to send
random health reports somewhere.

So my question is basically this: where on this grey scale does it go
from mildly annoying to security vulnerability (and CVE worthy), the
main things being:

-what kind of information is leaked (e.g. PII? system config? just the
fact that you're asking what time it is?)
-assuming it makes these outgoing connections by default, how informed
are users, e.g. in firefox you get a brief one time warning you can look
at or does it maybe warnt he user, show them the info and then require
them to confirm sending it (e.g. sosreport).

Thanks in advance.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.