Re: [Tails-dev] Liferea Cookies

Delete this message

Reply to this message
Author: adrelanos
Date:  
To: tails-dev
Subject: Re: [Tails-dev] Liferea Cookies
Hi,

intrigeri:
> Do you plan to research this matter further?


Not sure how I could.

Long story: I considered liferea for Whonix a while ago. Discovered
there are cookies. I asked the liferea devs if cookies can be disabled...

https://sourceforge.net/mailarchive/forum.php?thread_name=508C21F9.2080705%40gmail.com&forum_name=liferea-devel

>> Can cookies be disabled in liferea?
> No. There is no setting to prevent the embedded Webkit from using cookies.


Then I saw that you have it in Tails and thought you may have some more
information.

Now after thinking about again, I am asking myself the following question:

Which information could the feed website gather through the cookie?

(Stream isolation assumed.)
(Assumed a feed can only read it's own cookies.)

1) There is an anonymous connection which can be tied down to a
pseudonym (by cookie). Let's call it Anonuser1.
2) The feed website can log the time and how often a feeds is fetched by
Anonuser1.
3) The feed website can estimate how many anonymous users (persistence
in Tails or in Whonix) exist in total.

What's the information worth?
1) Nothing.
2) Some relevance for marketing, what interests anonymous people. No
privacy risk.
3) Some relevance for marketing, what interests anonymous people. No
privacy risk.

Do I miss something?

On the other hand if an adversary tells someone to sign up for a
prepared feed, tracking of a pseudonymous user would be possible.

After these questions are discussed also deleting the cookies before
starting liferea or better before fetching (if it's possible to hook
this), periodically deleting the cookies or hacking liferea otherwise
could be considered.

I also volunteer to communicate on liferea mailing list.

Cheers,
adrelanos