Block access to Google's servers #184

Closed
amilopowers opened this Issue Feb 12, 2016 · 6 comments

Comments

Projects
None yet
3 participants
@amilopowers

I saw in my log that CopperheadOS does connect to Google servers to check if it is behind a captive portal. I guess it does that at least every time it reconnects to a Wlan network.

02-12 15:09:54.588 4542 4919 D WifiCapabilities: Checking http://clients3.google.com/generate_204 to see if we're behind a captive portal

I propose to remove that (if possible) because it leaks information about me. Possibly there are other points where to OS connects to Google servers.

@amilopowers

This comment has been minimized.

Show comment Hide comment
@amilopowers

amilopowers Feb 12, 2016

And I think you should stop using Google's captcha service for your website and if there are other services like fonts and so on.

And I think you should stop using Google's captcha service for your website and if there are other services like fonts and so on.

@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Feb 12, 2016

Contributor

The site isn't going to stop using CloudFlare. It greatly reduces the number of requests and bandwidth used by the server, and it speeds up the site quite a bit via their many data centers around the world. We can't afford to replace it.

Contributor

thestinger commented Feb 12, 2016

The site isn't going to stop using CloudFlare. It greatly reduces the number of requests and bandwidth used by the server, and it speeds up the site quite a bit via their many data centers around the world. We can't afford to replace it.

@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Feb 12, 2016

Contributor

Not going to be blocking connections to Google in CopperheadOS either. People (rightfully) expect that kind of thing to work. We're aware of the default URL used to trigger provisioning. It could be replaced with a copperhead.co URL but it's not doing any kind of tracking, it just needs something to provide a 204 status code. In this case it wouldn't be that much pain to replace, but that's not universally true. What about time servers, which currently uses a public pool of servers usable for tracking?

Contributor

thestinger commented Feb 12, 2016

Not going to be blocking connections to Google in CopperheadOS either. People (rightfully) expect that kind of thing to work. We're aware of the default URL used to trigger provisioning. It could be replaced with a copperhead.co URL but it's not doing any kind of tracking, it just needs something to provide a 204 status code. In this case it wouldn't be that much pain to replace, but that's not universally true. What about time servers, which currently uses a public pool of servers usable for tracking?

@lbdroid

This comment has been minimized.

Show comment Hide comment
@lbdroid

lbdroid Feb 29, 2016

It might be a good idea to identify all of the points in the code where it is using various servers, and while leaving those as default values, provide an interface where they can all be changed from the defaults.

@amilopowers if you distrust google that much, consider a line in your hosts file redirecting google.com to 127.0.0.1.

lbdroid commented Feb 29, 2016

It might be a good idea to identify all of the points in the code where it is using various servers, and while leaving those as default values, provide an interface where they can all be changed from the defaults.

@amilopowers if you distrust google that much, consider a line in your hosts file redirecting google.com to 127.0.0.1.

@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Mar 1, 2016

Contributor

I'm not aware of any connection to Google in the base OS beyond the internet access check. There would be very little return from investing a bunch of time in making it configurable, exposing an IPC API and then making a UX to change it... it's also the kind of additional attack surface that we're not planning on adding without very good reasons to do it.

Contributor

thestinger commented Mar 1, 2016

I'm not aware of any connection to Google in the base OS beyond the internet access check. There would be very little return from investing a bunch of time in making it configurable, exposing an IPC API and then making a UX to change it... it's also the kind of additional attack surface that we're not planning on adding without very good reasons to do it.

@thestinger thestinger closed this Mar 1, 2016

@thestinger

This comment has been minimized.

Show comment Hide comment
@thestinger

thestinger Mar 1, 2016

Contributor

Not going to be blocking connections to Google, so this can be closed. Changing the internet access check / provisioning trigger URL can be a separate issue. Feel free to file bugs about specific issues like this but I don't want any meta bugs and I'm not aware of any other cases. See #194 for that HTTP GET request to check for internet access.

Contributor

thestinger commented Mar 1, 2016

Not going to be blocking connections to Google, so this can be closed. Changing the internet access check / provisioning trigger URL can be a separate issue. Feel free to file bugs about specific issues like this but I don't want any meta bugs and I'm not aware of any other cases. See #194 for that HTTP GET request to check for internet access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment