[Bug 1739838] [NEW] geoip.ubuntu.com should use HTTPS
Ryan Finnie
ryan.finnie at canonical.com
Fri Dec 22 22:34:18 UTC 2017
Public bug reported:
geoip.ubuntu.com allows for HTTPS now; tzsetup/geoip_server should use
https://geoip.ubuntu.com/lookup to prevent MITM location information
disclosure.
A complication is the d-i server variant (possibly others, but not e.g.
desktop LiveCD) do not appear to have a certificate store, so wget will
fail against this. I *think* pulling in ca-certificates-udeb would
solve this, but I haven't been able to test.
Note also that ubiquity uses geoname-lookup for city searching; that is
covered by https://code.launchpad.net/~fo0bar/ubiquity/geoname-use-
https/+merge/335568 .
** Affects: tzsetup (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to tzsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1739838
Title:
geoip.ubuntu.com should use HTTPS
Status in tzsetup package in Ubuntu:
New
Bug description:
geoip.ubuntu.com allows for HTTPS now; tzsetup/geoip_server should use
https://geoip.ubuntu.com/lookup to prevent MITM location information
disclosure.
A complication is the d-i server variant (possibly others, but not
e.g. desktop LiveCD) do not appear to have a certificate store, so
wget will fail against this. I *think* pulling in ca-certificates-
udeb would solve this, but I haven't been able to test.
Note also that ubiquity uses geoname-lookup for city searching; that
is covered by https://code.launchpad.net/~fo0bar/ubiquity/geoname-use-
https/+merge/335568 .
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tzsetup/+bug/1739838/+subscriptions
More information about the foundations-bugs
mailing list