[Bug 811729] New: What is fcitx doing opening and maintaining a TCP connection to 123.126.68.165 ?
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c0 Summary: What is fcitx doing opening and maintaining a TCP connection to 123.126.68.165 ? Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: x86-64 OS/Version: openSUSE 12.2 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: tdh@thetdh.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Network 123.112.0.0/255.240.0.0 appears to belong to Communist China. Reproducible: Always Steps to Reproduce: 1. log in and open an xterm window 2. wait a little, perhaps run Firefox 3. run netstat -t -p -n Actual Results: I see an attempted "HTTP" connection (SYN_SENT, CLOSE_WAIT), after I router-firewalled the address off; previously, I saw an open connection. It seems that interference with the movement of my mouse has lessened after the firewall update. Expected Results: I don't expect to see connections that I don't control, especially to a bellicose country involved in intensive espionage. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c1 Weng Xuetian <wengxt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wengxt@gmail.com --- Comment #1 from Weng Xuetian <wengxt@gmail.com> 2013-03-26 15:48:42 UTC --- Hi, I'm fcitx upstream developer. I think you have fcitx-cloudpinyin installed. (it's a separated, optional package) While it can largely improve the user experience when using Chinese, potential privacy problem also described here. https://fcitx-im.org/wiki/Cloudpinyin I think no distro ship that by default, and they shouldn't in order to protect the privacy, though I don't use opensuse so I'm not sure. You'd better check your package install history to see if it's installed by you, or by openSUSE. If it's later case, I think you should open a new report to openSUSE. But if you choose to install that by yourself, it's up to you right? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c2 Marguerite Su <i@marguerite.su> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |i@marguerite.su --- Comment #2 from Marguerite Su <i@marguerite.su> 2013-03-26 17:21:13 UTC --- Hi, there. I'm fcitx packager for openSUSE. 0. I explained it in #opensuse-factory just the day after 12.2 release to a curious foreign people. It means this is a public acceptable affair. 1. It's not installed by default for all. Provides: locale(fcitx:zh_CN;zh_SG) Here's what we've done. This code means: if you set your lang to zh_CN and zh_SG during the installation, it will be installed by default. The only usage of it is to include this package in our DVD/Live CD ISO, because there's no manual pick-up logic in openSUSE. 2. About The IP. Literally it's not _Communist_ China. It's just China. I think personally you owe me an apology. It hurts. If it's _Communist_ China, why you chose to learn Chinese? I'm born to be a Chinese, I have no choice. But why you? It's so rediculous, if I'm devil just because I'm posting using a Chinese IP, oh my, devils never sacrifice for open source communities, they just eat'em. If you judge things with prejudice, then sorry I can't help you at all. 2.1 It's a Pinyin server, and by its name, you'll know it means `pinyin on the cloud`. It's a Pinyin server provided Tencent/Sougou/Google to do things below: You input Chinese, right? like "woshimarguerite". Then it'll send this string to the servers, the servers will return you: "我是marguerite",”卧室marguerite"....and many. If people using this service select "我是marguerite" most, Then the server will memorize "oh, it's the most popular". Next time when you input the same string, it'll return the most popular one, which maybe just what you want. It's a probability game. That's how it works. Because Chinese is a "one to many" language, "woshimarguerite" can match too many things. How many? 15! = 1307674368000 (I'm not good at math) And it's just a very small Chinese sentence, with only 2 Chinese word + 1 English word. So do you think the Chinese server can monitor all such things all over the world? 2.2 The server only store such strings and the actual Chinese word. And the server locates in China. So basically it means: If it hosts the sensitive actual Chinese word, it'll be offline immediately. You can't even use it. So if there's no sensitive words on that server? how does it know that you input one of them? So it's not technically possible. 2.3 Google is an American company. Tecent is a Chinese company listed on NSDAQ. 3. About the usage As reasons above, and this: It's installed by default for Chinese people, what's wrong if you are in China and visit a Chinese server? Marguerite -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c3 --- Comment #3 from Weng Xuetian <wengxt@gmail.com> 2013-03-26 17:39:34 UTC --- No, there are some problems about install it by default. 1. Privacy Though, it really help user to typing Chinese a lot (Even I use it everyday), it should not be installed by default. The reason is in that way this package will send your typing data (in the same meaning of you search on google and google learn from your search keyword) to the cloudpinyin provider, though, there is no cookie, no session, but still you ARE sending the data to some company. If people install it by hand, they will need to response to themselves, but opensuse install such thing by default, the Responsibility is on opensuse side, which will harm the image of opensuse. 2. If we really leave the privacy aside, and say I really don't care that much since there are already thousands of millions of people using it everyday (The default provider develop one of the most popular windows chinese input method, on windows and with such function built in). But, another problem is the security of such http request, as I described in wiki page. If you really want to install it by default (Even only for Chinese locale), please patch it to use Google backend by default. Only Google backend provides SSL link, which could avoid leaking message by sniffer like attack. I don't want to use Google by default since Google is kinds of blocked by Chinese GFW and that may harm the functionality of this package for most people who need it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c4 --- Comment #4 from Marguerite Su <i@marguerite.su> 2013-03-26 18:15:36 UTC --- Hi, 1. People have it installed by default have already known that it will send data to Internet servers from day one. Actually it's their request that push you develop it. That's why there's no bug reports and critiques from them. It's common knowledge among them. Since it satisifies people and there's no legal affair in it, It's acceptable from openSUSE side. To those who install it manually, it's your responsiblity to warn them(although I can't see any advantage of doing this). not our side. 2. Even not all websites are in HTTPS. I can't see the advantage to use Google by default. It's not technically possible to sniffer all the people. So how can the cracker pick you as a pity example ? Even if the cracker picks you as his target: * He can't hack your system. there's no system weakness at all. * He can't get what you're trying to say. because: ** He can only get the raw string and the return word, he has a lot of probability to guess, and even if he's right, he can't even know if the "right" word is the one you want. ** He can only get some strings in the sentence. Not all strings are sent to the servers. it's based on length. Basically it means it's not technically possible to get your mind. I can't see any possibility to take so much efforts to do such an useless thing. He can just sniffer your page visiting activites and easily get the correct word you type. So in my point of view, It's a non-existent bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com, | |security-team@suse.de Summary|What is fcitx doing opening |AUDIT-0: What is fcitx |and maintaining a TCP |doing opening and |connection to |maintaining a TCP |123.126.68.165 ? |connection to | |123.126.68.165 ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c FeiXiang Zhang <fxzhang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |i@marguerite.su |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c5 Marguerite Su <i@marguerite.su> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #5 from Marguerite Su <i@marguerite.su> 2013-03-28 10:51:21 UTC --- Please feel free to reopen it if there're any further questions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c6 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | AssignedTo|i@marguerite.su |security-team@suse.de --- Comment #6 from Marcus Meissner <meissner@suse.com> 2013-03-28 11:00:52 UTC --- security still needs to review this, privacy wise and protocol wise. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c7 --- Comment #7 from T.David Hudson <tdh@thetdh.com> 2013-03-30 13:05:05 UTC --- After fcitx managed to open another connection to the same address, I uninstalled it and reset my router. Some celerity has subsequently been restored to the movement of my cursor. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c8 --- Comment #8 from Weng Xuetian <wengxt@gmail.com> 2013-04-01 13:58:52 UTC --- You didn't understand what we are really talking about, making such connection is just a correct behavior of a package (fcitx-cloudpinyin). Just like you are using twitter, and you are arguing "hey why firefox connect to twitter IP?" It's totally nonsense to say I want to the a network based function, but I don't want my program to make such a connection. And BTW, Maintaining a TCP connection is just a way to make next request to the same IP fast. The code is just here if you want see that: https://github.com/fcitx/fcitx-cloudpinyin/blob/master/src/cloudpinyin.c The only thing I said in comment 2 is about, whether it should be installed by default. While I discussed with the package and they seems to have no problem with this. So my final word is, if you don't want to use that function, uninstall fcitx-cloudpinyin, if you really use that, then stop arguing with this is a bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c9 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: What is fcitx |VUL-1: What is fcitx doing |doing opening and |opening and maintaining a |maintaining a TCP |TCP connection to |connection to |123.126.68.165 ? |123.126.68.165 ? | --- Comment #9 from Sebastian Krahmer <krahmer@suse.com> 2013-07-22 10:18:37 UTC --- No longer AUDIT bug for us, as its clear what happens. At most a VUL bug, if we want "fixing", but I'll let this to the maintainer. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c10 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low --- Comment #10 from Swamp Workflow Management <swamp@suse.de> 2013-07-22 22:00:15 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c11 Alexander Bergmann <abergmann@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO CC| |abergmann@suse.com InfoProvider| |i@marguerite.su --- Comment #11 from Alexander Bergmann <abergmann@suse.com> 2014-01-14 08:07:14 UTC --- Hi Marguerite, can you have another (final) look at this? See comment 9. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=811729 https://bugzilla.novell.com/show_bug.cgi?id=811729#c12 Marguerite Su <i@marguerite.su> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|i@marguerite.su | Resolution| |UPSTREAM --- Comment #12 from Marguerite Su <i@marguerite.su> 2014-01-14 11:52:16 UTC --- (In reply to comment #11)
Hi Marguerite, can you have another (final) look at this? See comment 9. Thanks.
Hi, Alexander, This has been adjusted in newer fcitx. We turn off "web dictionary" function by default, even if users have fcitx-cloudpinyin installed. Those who willing to use that function have to enable it in input method settings. This "fix" has been landed in openSUSE 12.3 and above. As 12.2 is EOL. I think this bug can be closed as "upstream fixed". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com