[akregator] [Bug 391865] New: Akregator allows feeds to gather data on article reading habits
Jaak Ristioja
bugzilla_noreply at kde.org
Wed Mar 14 20:50:34 GMT 2018
https://bugs.kde.org/show_bug.cgi?id=391865
Bug ID: 391865
Summary: Akregator allows feeds to gather data on article
reading habits
Product: akregator
Version: 5.5.3
Platform: Ubuntu Packages
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: general
Assignee: kdepim-bugs at kde.org
Reporter: jaak at ristioja.ee
Target Milestone: ---
Created attachment 111403
--> https://bugs.kde.org/attachment.cgi?id=111403&action=edit
Screenshot of (an unbranded version of) Mozilla Thunderbird handling a similar
situation.
I'm filing a new bug as instructed in
https://bugs.kde.org/show_bug.cgi?id=229989#c2 and
https://bugs.kde.org/show_bug.cgi?id=229989#c3 since this still occurs in
recent versions of Akregator.
When opening an article, Akregator automatically downloads all requisites found
in the <description> (e.g. if images etc are specified in HTML; perhaps even
flash or AJAX?). Generally this generates extra HTTP(S) requests to remote
server(s), leaking information about the users activities, i.e. which articles
they browse, and possibly info about how long they read an article before
switching to another article, etc.
The man in the middle, even when the user is using HTTPS, has quite good
chances to figure out the exact articles being read (given he can determine the
endpoint of the HTTPS connection), which are probabilistically among those new
articles which the user has not previously read.
Hopefully it will be configurable per-feed, whether such requisites are
downloaded or not, and with an action somewhere to force download of requisites
of the article currently open.
Please fix these privacy leaks!
Mozilla Thunderbird, for example, handles such e-mails with remote content much
better, by prompting the user about whether to download remote content or not
(see attached screenshot). This is also what Akregator could do on a per-feed
basis. An "always show remote content" checkbox could also be added to the feed
properties dialog.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list