[Bug 811729] New: What is fcitx doing opening and maintaining a TCP connection to 123.126.68.165 ?

older
[Bug 858675] New: firefox, kwallet...

bugzilla_noreply＠novell.com

26 Mar 2013 26 Mar '13

12:09

https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c0 Summary: What is fcitx doing opening and maintaining a TCP connection to 123.126.68.165 ? Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: x86-64 OS/Version: openSUSE 12.2 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: tdh@thetdh.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Network 123.112.0.0/255.240.0.0 appears to belong to Communist China. Reproducible: Always Steps to Reproduce: 1. log in and open an xterm window 2. wait a little, perhaps run Firefox 3. run netstat -t -p -n Actual Results: I see an attempted "HTTP" connection (SYN_SENT, CLOSE_WAIT), after I router-firewalled the address off; previously, I saw an open connection. It seems that interference with the movement of my mouse has lessened after the firewall update. Expected Results: I don't expect to see connections that I don't control, especially to a bellicose country involved in intensive espionage. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

26 Mar 26 Mar

15:48

New subject: [Bug 811729] What is fcitx doing opening and maintaining a TCP connection to 123.126.68.165 ?

https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c1 Weng Xuetian changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wengxt@gmail.com --- Comment #1 from Weng Xuetian 2013-03-26 15:48:42 UTC --- Hi, I'm fcitx upstream developer. I think you have fcitx-cloudpinyin installed. (it's a separated, optional package) While it can largely improve the user experience when using Chinese, potential privacy problem also described here. https://fcitx-im.org/wiki/Cloudpinyin I think no distro ship that by default, and they shouldn't in order to protect the privacy, though I don't use opensuse so I'm not sure. You'd better check your package install history to see if it's installed by you, or by openSUSE. If it's later case, I think you should open a new report to openSUSE. But if you choose to install that by yourself, it's up to you right? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

17:21

New subject: [Bug 811729] What is fcitx doing opening and maintaining a TCP connection to 123.126.68.165 ?

https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c2 Marguerite Su changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |i@marguerite.su --- Comment #2 from Marguerite Su 2013-03-26 17:21:13 UTC --- Hi, there. I'm fcitx packager for openSUSE. 0. I explained it in #opensuse-factory just the day after 12.2 release to a curious foreign people. It means this is a public acceptable affair. 1. It's not installed by default for all. Provides: locale(fcitx:zh_CN;zh_SG) Here's what we've done. This code means: if you set your lang to zh_CN and zh_SG during the installation, it will be installed by default. The only usage of it is to include this package in our DVD/Live CD ISO, because there's no manual pick-up logic in openSUSE. 2. About The IP. Literally it's not _Communist_ China. It's just China. I think personally you owe me an apology. It hurts. If it's _Communist_ China, why you chose to learn Chinese? I'm born to be a Chinese, I have no choice. But why you? It's so rediculous, if I'm devil just because I'm posting using a Chinese IP, oh my, devils never sacrifice for open source communities, they just eat'em. If you judge things with prejudice, then sorry I can't help you at all. 2.1 It's a Pinyin server, and by its name, you'll know it means `pinyin on the cloud`. It's a Pinyin server provided Tencent/Sougou/Google to do things below: You input Chinese, right? like "woshimarguerite". Then it'll send this string to the servers, the servers will return you: "我是marguerite",”卧室marguerite"....and many. If people using this service select "我是marguerite" most, Then the server will memorize "oh, it's the most popular". Next time when you input the same string, it'll return the most popular one, which maybe just what you want. It's a probability game. That's how it works. Because Chinese is a "one to many" language, "woshimarguerite" can match too many things. How many? 15! = 1307674368000 (I'm not good at math) And it's just a very small Chinese sentence, with only 2 Chinese word + 1 English word. So do you think the Chinese server can monitor all such things all over the world? 2.2 The server only store such strings and the actual Chinese word. And the server locates in China. So basically it means: If it hosts the sensitive actual Chinese word, it'll be offline immediately. You can't even use it. So if there's no sensitive words on that server? how does it know that you input one of them? So it's not technically possible. 2.3 Google is an American company. Tecent is a Chinese company listed on NSDAQ. 3. About the usage As reasons above, and this: It's installed by default for Chinese people, what's wrong if you are in China and visit a Chinese server? Marguerite -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

17:39

New subject: [Bug 811729] What is fcitx doing opening and maintaining a TCP connection to 123.126.68.165 ?

https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c3 --- Comment #3 from Weng Xuetian 2013-03-26 17:39:34 UTC --- No, there are some problems about install it by default. 1. Privacy Though, it really help user to typing Chinese a lot (Even I use it everyday), it should not be installed by default. The reason is in that way this package will send your typing data (in the same meaning of you search on google and google learn from your search keyword) to the cloudpinyin provider, though, there is no cookie, no session, but still you ARE sending the data to some company. If people install it by hand, they will need to response to themselves, but opensuse install such thing by default, the Responsibility is on opensuse side, which will harm the image of opensuse. 2. If we really leave the privacy aside, and say I really don't care that much since there are already thousands of millions of people using it everyday (The default provider develop one of the most popular windows chinese input method, on windows and with such function built in). But, another problem is the security of such http request, as I described in wiki page. If you really want to install it by default (Even only for Chinese locale), please patch it to use Google backend by default. Only Google backend provides SSL link, which could avoid leaking message by sniffer like attack. I don't want to use Google by default since Google is kinds of blocked by Chinese GFW and that may harm the functionality of this package for most people who need it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18:15

New subject: [Bug 811729] What is fcitx doing opening and maintaining a TCP connection to 123.126.68.165 ?

https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c4 --- Comment #4 from Marguerite Su 2013-03-26 18:15:36 UTC --- Hi, 1. People have it installed by default have already known that it will send data to Internet servers from day one. Actually it's their request that push you develop it. That's why there's no bug reports and critiques from them. It's common knowledge among them. Since it satisifies people and there's no legal affair in it, It's acceptable from openSUSE side. To those who install it manually, it's your responsiblity to warn them(although I can't see any advantage of doing this). not our side. 2. Even not all websites are in HTTPS. I can't see the advantage to use Google by default. It's not technically possible to sniffer all the people. So how can the cracker pick you as a pity example ? Even if the cracker picks you as his target: * He can't hack your system. there's no system weakness at all. * He can't get what you're trying to say. because: ** He can only get the raw string and the return word, he has a lot of probability to guess, and even if he's right, he can't even know if the "right" word is the one you want. ** He can only get some strings in the sentence. Not all strings are sent to the servers. it's based on length. Basically it means it's not technically possible to get your mind. I can't see any possibility to take so much efforts to do such an useless thing. He can just sniffer your page visiting activites and easily get the correct word you type. So in my point of view, It's a non-existent bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.