search

enzo1982 / freac

The fre:ac audio converter project
https://www.freac.org/
GNU General Public License v2.0
1.33k stars 69 forks source link

CDDB Communication Over HTTPS & Remove System Identifiers #526

Open throwaway-1234567 opened 10 months ago

throwaway-1234567 commented 10 months ago

Is your feature request related to a problem? Please describe.

Per the CDDB communication logs, system identifiers appear to be transmitted in plain text over HTTP, including System (OS info/version), CPU model, total RAM, and software client (fre:ac with version number) .

Describe the solution you'd like

Remove sending of system identifiers, otherwise use HTTPS (HTTPS over port 443 is described as an option at https://gnudb.org/howto.php).

Currently unable to edit the server port fixed to port 80 (HTTP only).

Additionally music and disc information, and any other data to be transmitted with HTTPS.

Describe alternatives you've considered

If HTTPS is unavailable then prompt the user that their system information with be sent in plain text over HTTP before transmitting their data.

Additional context

CDDB communication is required for retrieving or submitting new or updated disc data.

Lee-Carre commented 10 months ago

While capturing packets (Wireshark), in at least one case I noticed that the HTTP request included my host's name(!)

Surely dummy values could be used. I can't think of any technical reasons why the hosting site needs to collect this data; it's likely only for usage-statistics.