Ideas for the privacy campaign
Contents
-
Ideas for the privacy campaign
- application containment
- enhanced disk encryption support
- Tor integration
- Privacy Policies
- user control over diagnostic reporting features
- robust VPN routing
- application integration with system-wide privacy settings
- controls for how GNOME devices are identified on local networks
- Web, the GNOME browser
- OTR support for Empathy/Telepathy
- improve GPG user experience
- GNOME Keysign
- Good crypto UX
- GNOME Bitcoin Wallet
- Disable USB on lockscreen
- Protect users from rogue USB drives
- fix core libraries
- Harden Tracker to prevent it from leaking any data
- Factory reset
- Secure application password storage
- Last login notification
- Presentation mode
- Guest windows in Web
- seahorse update/redesign
- GLib TLS security
- libsoup HTTPS security
- Port GRegex to PCRE2
- More static analysis tools for C/GObject
The GNOME Foundation ran a campaign to raise funds to implement privacy features within GNOME. Some of those features will need to be implemented by professional contractors, upstream developers on a number of projects, community members, or the participants in one of our integration programmes.
On 14 August 2016, a session was held on this topic at GUADEC.
application containment
- How does this overlap with the systemd containment work?
enhanced disk encryption support
There is a Google Summer of Code project that matches some of the requirements. It doesn't allow full disk encryption.
Major distros already make it very easy to select full disk encryption during installation. I'm not sure what else needs done here? (-- MichaelCatanzaro 2014-09-18 13:55:00)
Almost all major distros support full disk encryption already. Home directory encryption is a step backwards. (-- MichaelCatanzaro, August 2016)
Tor integration
Discussion started with some comments in this Privacy settings bug.
See this NetworkManager bug.
It would probably be easy to do this unsafely, but to do it safely would likely require hiring an experienced Tor developer. This does not seem realistic for us. (-- MichaelCatanzaro, August 2016)
Privacy Policies
- For the desktop and the third-party services we use
- For the services we run (git, mail, bugzilla, etc.)
user control over diagnostic reporting features
I don't understand this item (-- BastienNocera 2013-07-31 13:20:36)
I think the intent behind this item is to give the user control over Apport/ABRT bug reports, e.g. through a switch in the privacy panel. That's low-hanging fruit; we should do something bigger with these funds. (-- MichaelCatanzaro 2014-09-18 13:55:00)
robust VPN routing
Always-on VPN (there can be dire consequences if public IP is revealed) NetworkManager bug 656215 -- HashemNasarat 2013-08-04 16:47:30
Needs more details (-- BastienNocera 2013-07-31 13:20:36)
application integration with system-wide privacy settings
Needs more details (-- BastienNocera 2013-07-31 13:20:36)
controls for how GNOME devices are identified on local networks
Done in GNOME 3.10?
Web, the GNOME browser
All these suggestions are obsolete. Our GLib and libsoup security issues are more important than anything we can change in Epiphany. -- (MichaelCatanzaro, August 2016)
SSL/TLS in Epiphany is ineffective and unsafe (-- MichaelCatanzaro)
The serious SSL problems are already fixed. Enhancements like HSTS remain, but seem less interesting than other ideas on this page, e.g. OTR. (-- MichaelCatanzaro 2014-09-18 13:55:00)
- Anti-phishing features/anti-malware features?
Anti-tracking with EasyPrivacy (since Web already knows how to read EasyList) (-- MichaelCatanzaro)
Anti-fishing, anti-malware, and anti-tracking can all be handled by the adblocker using filters from EasyList. Easy to implement. Not worth spending money on. (-- MichaelCatanzaro 2014-09-18 13:55:00)
FOSS Version of startpage search engine
The FOSS search engine idea has no practical advantage over DuckDuckGo and would require a large budget to maintain going forward. (-- MichaelCatanzaro 2014-09-18 13:55:00)
OTR support for Empathy/Telepathy
- off the record messaging
General feeling is that Telepathy is dead and not worth spending money on. (-- MichaelCatanzaro, August 2016)
improve GPG user experience
- Key creation, sharing
- Encrypted email sending
Tool to understand/visualize Web of Trust? -- HashemNasarat 2013-08-04 16:47:30
GPG's future is not looking bright. Maybe not a good investment at this point. But email is very important and Google and Yahoo do seem to be leaning towards GPG.... (-- MichaelCatanzaro 2014-09-18 13:55:00)
Michael is interested in GPG usability improvements, but opposed to spending money on Evolution. If we are going to improve a mail client, it should be Geary. (-- MichaelCatanzaro, August 2016)
GNOME Keysign
(proposed by TobiasMueller)
A successful Summer of Code project made an OpenPGP Keysigning tool happen. Code is currently hosted at https://github.com/muelli/geysigning for now, but should change once a few releases were made, so expect that link to become defunct. The project's wiki page is GnomeKeysign.
Signing another person's key is one of the first steps when trying to communicate securely (after generating a key, see proposal above). For now, signing someone's keys and following best practices is tedious and error-prone. The tool helps to make that a much more pleasant experience.
Good enhancements to the existing implementation would be:
- Show the number of available signers
- Automatically recognise a manually entered fingerprint
- Also operate in non-GUI mode, i.e. be able to sign a key from a file
- make the camera selection much more robust, i.e. support multiple cameras, allow selection
- allow images to be used, instead of a camera; bulk scan a folder
- cater for UIDs with XMPP addresses
* Michael thinks we won't want to have this installed by default, so the benefit will be quite limited. Would prefer to merge these features into an existing application (Geary? seahorse?) (-- MichaelCatanzaro, August 2016)
Good crypto UX
Make crypto usable by non-technical users:
- Nice UI or make it completely transparent wherever it's applied (OTR, Evolution, cloud services, ...)
- No scary technical messages.
- Should just work or be as easy as possible (for example looking at the OTR support of Pidgin for example which is quite annoying - telepathy/empathy should do better.)
GNOME Bitcoin Wallet
A bitcoin wallet with a GNOME look and feel -- HashemNasarat 2013-08-05 17:39:29
Not a bad idea, but this isn't as important as chat or email encryption. (-- MichaelCatanzaro 2014-09-18 13:55:00)
Disable USB on lockscreen
(proposed by TobiasMueller)
USB offers a large attack surface. We could reduce the risk of malicious USB devices by telling Linux to not accept new USB devices if the screen is locked. A reference is here: http://seclists.org/oss-sec/2014/q3/329
Protect users from rogue USB drives
(proposed by MichaelCatanzaro)
Along the lines of the proposal above: nowadays a malicious USB storage device will identify itself as a keyboard or network device or a USB hub to the operating system. I wonder if it would be feasible to protect users against this, e.g. by popping up a dialog with a big picture of a storage drive opposite an image of the other device and asking "What did you plug in?" E.g. see https://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe for a readily-available Flash drive that identifies as a keyboard.
fix core libraries
(proposed by TobiasMueller)
Currently, we have known issues in several libraries which I consider to be "core" of GNOME and the wider ecosystem, which are very likely security relevant (think integer or buffer overflows in poppler or librsvg). Interest in maintaining these libraries or fixing those specific issues seems to have waned and the problems to solve are not easy. I can share details on request. We could attempt to bring people knowledgeable in these libraries and security people together to get some problems fixed.
Harden Tracker to prevent it from leaking any data
See https://bugzilla.gnome.org/show_bug.cgi?id=735406
Factory reset
Add a factory reset option to the control center, which would allow users to delete all data, apps and settings, and restore the machine to its original state.
This is useful for protecting your privacy when passing a computer you have used on to another person or organisation.
Secure application password storage
(proposed by AllanDay)
As described by Stef, during his 2013 GUADEC Lecture (from slide 37):
http://www.superlectures.com/guadec2013/more-secure-with-less-security
Last login notification
(proposed by AllanDay)
Add an option to show the time of the last login in a notification when the user logs in/unlocks.
Presentation mode
(proposed by AllanDay)
This feature would allow displays that are being used for presentations (such as projectors) to be specified by the user. These presentation displays would then be treated differently:
- Screen edges wouldn't be joined
- A generic, depersonalised wallpaper would be used
- Presentation displays would be advertised to applications as the destination for content. The most obvious of these would be for presentation software, but it could also include browsers ("show page on...") or the Videos app ("play on...").
This feature will avoid the many privacy issues associated with giving presentations (particularly if those presentations are being streamed live). Personal wallpapers (such as those showing your kids) wouldn't be displayed publicly, and you wouldn't risk leaking personal information to the room, such as when typing into the URL bar in your browser.
Guest windows in Web
(proposed by AllanDay)
It is quite common for someone to ask to use your web browser for a second, either to check their mail or check a website. This can be an inadvertent threat to your privacy - entering an URL displays parts of your browsing history. Guest windows would solve this - these windows would not use your stored history, passwords, bookmarks or other data.
Note this feature already exists (incognito mode), we would just need to think about rebranding it (-- MichaelCatanzaro, August 2016)
Not the same thing. Incognito mode doesn't save to your history, but if you start typing you'd still get suggestions from your previous history. Guest mode would show your history, thus not leaking private info to your guests. -- AlexandreFranke
- OK, it's not the same thing. It's already implemented in any case, but only available via command line (use -p), so just requires UI design. -- Michael
seahorse update/redesign
Lots of interest in this. Daiki interested in continuing work on it regardless, probably does not require funds. (-- MichaelCatanzaro, August 2016)
GLib TLS security
(proposed by MichaelCatanzaro)
- Block connections with non-root SHA-1 certificates (mcatanzaro considers this urgent priority)
- API to allow applications to detect less-secure TLS certificates/connections without blocking them (bgo#745637)
- Support certificate revocation (bgo#636573)
libsoup HTTPS security
(proposed by MichaelCatanzaro)
- HSTS (HTTP strict transport security, mcatanzaro considers this high priority) (bgo#767160)
- HPKP (HTTP public key pinning)
- certificate transparency (reject certificates not on audit log)
Port GRegex to PCRE2
(proposed by SébastienWilmet)
PCRE is deprecated in favour of a new API called PCRE2. The old PCRE will only receive sporadic bugfix releases for some time.
755693 - future of GRegex (solution B). Exposing the JIT functionality is a plus.
Interested and available developer for the task: SébastienWilmet
More static analysis tools for C/GObject
(proposed by SébastienWilmet)
Develop more static analysis tools for C/GObject, for example in Tartan.
Example: check that GObject signal callbacks have a good prototype.
Interested and available developer for the task: SébastienWilmet