Bug#843645: Username unconditionally checked
I have discussed with the team and we will be working on a patch. Cheers, -- Alexandre Viau av...@debian.org signature.asc Description: OpenPGP digital signature
Bug#843645: Username unconditionally checked
Hi Alexandre, On Tue, 8 Nov 2016 13:07:42 -0500 Alexandre Viauwrote: > I don't think that this is a bug, unless you point me somewhere in the > Debian Policy that states that this is indeed a bug. > > We want to make Ring as easy to use as possible for non-technical users, > and choosing good defaults is important. This is why we check the box by > default. We also think that looking up usernames as you type is much > more user friendly. > > Please prove me wrong If I am and I will be happy to get this fixed. > > There is an ongoing effort to make privacy breaches a part of the Debian > Policy here: > - https://bugs.debian.org/726998 > > However, this specific bug only talks about documentation. > > If this is indeed a bug, I would fix it by adding a configure flag to > the gnome client that would allow changing the default state of the > checkbox. > > I will wait a little bit for your answer, then I will mark this bug as > wontfix and close it. Easy and non-technical but secure? Hmm, it's something really hard to achieve, if even possible. There is always a trade-off, but if the Ring projects emphasizes the convenience, then the security part might suffer... As the user types? Exactly! But not picking the user's system name and without to ask send it away. So if you insist on leaving checking by typing, I'm fully OK with it. But never pick something (possibly private!) and send it away. So a reasonable compromise would be to not set a name by default, but leave the field empty. By starting typing the user is aware, that this will be sent away. But until secured http get's setup, please add a warning, that the name will be sent UNencrypyed. Regards, Andrey
Bug#843645: Username unconditionally checked
I don't think that this is a bug, unless you point me somewhere in the Debian Policy that states that this is indeed a bug. We want to make Ring as easy to use as possible for non-technical users, and choosing good defaults is important. This is why we check the box by default. We also think that looking up usernames as you type is much more user friendly. Please prove me wrong If I am and I will be happy to get this fixed. There is an ongoing effort to make privacy breaches a part of the Debian Policy here: - https://bugs.debian.org/726998 However, this specific bug only talks about documentation. If this is indeed a bug, I would fix it by adding a configure flag to the gnome client that would allow changing the default state of the checkbox. I will wait a little bit for your answer, then I will mark this bug as wontfix and close it. Cheers, -- Alexandre Viau av...@debian.org signature.asc Description: OpenPGP digital signature
Bug#843645: Username unconditionally checked
Source: ring Version: 20161104.4.17a0616~dfsg1-2 Severity: important Dear maintainer, by clicking on "Create Ring Account" the system account username is automatically checked for availability. In this window there is no statement, that this is performed locally and nothing is sent away, thus it is a security leak. And indeed, wireshark reveals that the check is a simple (even not encrypted) HTTP GET request, e.g. http://ns.ring.cx/name/123 Hopefully, Savoir-faire Linux will setup https soon? Please, disable this check for now. For a real fix, I'd suggest to introduce a button ("check now") instead. Additionally, a key press handler should be registered for the TextEntry widget in order to quickly check the name (typed/enter/altered/enter/altered/enter/...). Thanks, Andrey