weixin_39731107
weixin_39731107
2021-01-06 06:30

OsMo plugin communicates via cleartext HTTP

When sharing the seemingly-otherwise-private code for location tracking to another user via SMS, a URI with HTTP scheme (cleartext; without SSL) is generated for a resource at z.osmo.mobi.

Information about users' locations should be encrypted in transit. If this is not feasible, they should be warned that the information will be communicated in an insecure manner.

该提问来源于开源项目:osmandapp/OsmAnd

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

20条回答

  • weixin_39519769 weixin_39519769 4月前

    http://osmo.mobi/privacy

    点赞 评论 复制链接分享
  • weixin_39731107 weixin_39731107 4月前

    That's it? Buried in your privacy policy is a warning to users, so they can suck it, you won't fix this?

    点赞 评论 复制链接分享
  • weixin_39670441 weixin_39670441 4月前

    That's mainly question to OsMo service, but we have plans to something in that area for private servers, anyway there is no privacy question in using http protocol. It was using and still using widely in internet, why don't we talk about privacy in browsers.

    点赞 评论 复制链接分享
  • weixin_39813574 weixin_39813574 4月前

    I guess the best solution is to inform users. There should be note in settings informing user that this feature uses 3rd-party servers (unrelated to Osmand) and there are privacy issues to consider (which may or may not be important to user).

    Just put it as the first line in OsMo settings screen, which will open explanation (with note about unencrypted connection) with few links (service homepage and privacy policy).

    Point of this is to inform user about tool she is using, not to discredit OsMo.

    点赞 评论 复制链接分享
  • weixin_39731107 weixin_39731107 4月前

    , developer of software that tracks people's locations and reports them to a third party, wrote:

    there is no privacy question in using http protocol. It was using and still using widely in internet.

    I am at a loss for words.

    The OsMo privacy policy--which is not presented to users before they enable this feature in Osmand--now states:

    This document is intended to clarify questions regarding our privacy of your data while working with our service.

    Service now in beta, because all data transmitted to our server are in the clear and in theory can be easily intercepted. However, these figures - faceless figures say nothing about the owner. For example "T | 59.21415:30.21155:35:2:4". Them understand who you are not possible.

    After the end of the beta test, we will disguise and SSL-encrypted traffic for your peace of mind, but now use the service quite safe.

    点赞 评论 复制链接分享
  • weixin_39813574 weixin_39813574 4月前

    It looks like they do not realize that the coordinates are linked to user's IP address, and it is not that hard to link the user's IP address to user's identity by cross-referencing with some other service.

    点赞 评论 复制链接分享
  • weixin_39670441 weixin_39670441 4月前

    I think the solution indeed to put a link for OsMo plugin and show dialog that user accepts policy of web service. It would be good to understand what is the threat to protect from. Lots of web sites uses http and they have more confidential information than just locations. If you use your private network like the phone, which is main use case, you have nothing to worry. Your location is anyway known to your mobile provider.

    点赞 评论 复制链接分享
  • weixin_39731107 weixin_39731107 4月前

    Osmand should, prior to the user enabling this feature, very clearly inform him or her that: 1. The OsMo plugin will send location information not only to other Osmand users as directed, but to a third party--the maintainers of OsMo. 2. This information will be sent in cleartext, visible to any party in between the first user, OsMo, and the second user, and thus will almost certainly archived by NSA and other nation's spy agencies.

    点赞 评论 复制链接分享
  • weixin_39791446 weixin_39791446 4月前

    Hi all

    I am just following this conversation and it become more and more interesting.

    As for me once you have any mobile device on your hand and it is connected to the Internet via any provider like Google, Apple, Amazon or other it will send out your information and that information can be captured or provided by your provider upon request by any secret special agency besides the fact if it is communicating via http or https.

    Facebook is the biggest location provider as it is putting location information almost everywhere by default and you need to uncheck that option if you don't want to be tracked.

    For me if you don't want to provide your location do not enable the OsMo plugin.

    If you would like to use it consider that it is beta and people are working to make it awesome.

    And it is free service. If you have some spare money to support people it is up to you.

    Personally I am happy with this functionality as it works and do the job!

    Regards, Areg

    点赞 评论 复制链接分享
  • weixin_39813574 weixin_39813574 4月前

    : Google, Apple, Amazon nor Facebook are not Internet providers and your phone des not have to communicate with them at all. And everything except Google Play is very easy to eliminate.

    点赞 评论 复制链接分享
  • weixin_39791446 weixin_39791446 4月前

    : Same for OsMo Plugin - If you don't want to allow your device to communicate with internet and send out data disable it !

    It is user choice.

    As I already told the service in active development on free basis. so people are doing what they can.

    Regards, Areg

    点赞 评论 复制链接分享
  • weixin_39813574 weixin_39813574 4月前

    Don't get me wrong, it is not about not communicating. It is about keeping private data private and sending selected data to designated recipients only. Facebook failed both these requirements. OsMo is good in selecting data, now it needs to achieve the other part.

    点赞 评论 复制链接分享
  • weixin_39519769 weixin_39519769 4月前

    Osmo did not have to! :)

    The key point that by using the Service, you must take care of themselves reading the privacy policy and terms of use - is the international norm.

    And as it was correctly noted, the plugin is not enabled by default, and even activate it - he does not begin to send the coordinates, only required by the user (by clicking on the relevant button).

    点赞 评论 复制链接分享
  • weixin_39731107 weixin_39731107 4月前

    The "international norm" has left us in a situation whereby governments are can and do perform dragnet surveilance on entire populations. It is irresponsible to communicate users' information via cleartext HTTP.

    点赞 评论 复制链接分享
  • weixin_39519769 weixin_39519769 4月前

    Nobody forces you to use the service, which is provided "as is". You can create your own with Blackjack and girls :) And we'll write a review :)

    PS for more than two years of service, the first time I meet a few !!! people who are so afraid of big brother and personal surveillance. Hurt you, but nobody cares about your location ...

    点赞 评论 复制链接分享
  • weixin_39813574 weixin_39813574 4月前

    Most people do not understand what is happening under the hood and thus they do not know they should care about their privacy, or they incorrectly think it is safe because it asks for a password (or something).

    点赞 评论 复制链接分享
  • weixin_39519769 weixin_39519769 4月前

    There can be a long dream, but I do not see the point of this discussion. GPS monitoring of the word implies the rejection of privacy, although the coordinates, but some privacy ... Have a nice day! :)

    点赞 评论 复制链接分享
  • weixin_39702335 weixin_39702335 4月前

    Does this happen in HTTPS now? Since the OsMo site uses Let'sEncrypt, it seems the devs are aware of that issue.

    People defending plaintext data transfer ITT are not that smart…

    点赞 评论 复制链接分享
  • weixin_39519769 weixin_39519769 4月前

    OsMo plugin has been removed in future OsmAnd releases

    点赞 评论 复制链接分享
  • weixin_39519769 weixin_39519769 4月前

    It will be set in the privacy policy on the site system. It is still in beta and not all information is available. This naturally using these services - should be understood that the coordinates (even encrypted) - can be intercepted.

    点赞 评论 复制链接分享

相关推荐