Privacy issue while using TinyTinyRSS in Liferea (and maybe all other external sources)

[Perflyst]

I connected TinyTinyRSS in Liferea. Since I wanted to see the tt-rss useragent I setup an own rss feed. I added it via the webclient from tt-rss and then updated liferea.

I have seen a tt-rss useragent in access log and also the liferea useragent. Both have accessed the feed.

Why does liferea even connects to the feed? It is enough to connect to the tt-rss instance and pull the feeds from there, isn't it?

I check this via the tt-rss mobile app. The app does not connect to the feeds itself it just connects to the tt-rss instance and pulls the feeds.

[lwindolf]

I do not fully understand the issue yet, can you post some example URLs (excluding auth info of course) that Liferea pulls on your tt-rss instance endpoint?

[Leiaz]

@lwindolf I think the problem is that Liferea connects to the server serving the feed, instead of only connecting to the tt-rss instance. Maybe for the favicon ?

[Perflyst]

@Leiaz is correct. All my feeds dont need any auth and are public on the internet. Liferea connects to them and I dont know why because tt-rss should fetch them on the server and liferea should just crawl them from tt-rss. Maybe it is because of the favicon but tt-rss also pulls the favicon. If it is really the favicon please give users an opt-in or opt-out for this.

On October 15, 2018 9:00:04 PM UTC, Leiaz notifications@github.com wrote:

@lwindolf I think the problem is that Liferea connects to the server serving the feed, instead of only connecting to the tt-rss instance. Maybe for the favicon ?

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/lwindolf/liferea/issues/678#issuecomment-430011253

[lwindolf]

The favicon pulling makes sense. It should be done without auth per-default (so no opt-out is necessary at all).

@Perflyst Can you please still post some example URLs from your log so the code paths can be verified correctly?

[Perflyst]

I added http://rss.perflyst.de/feed.xml via tt-rss and than opened liferea. I do not have any other feeds or sources in liferea, only tt-rss as a source.

access log from the server (p.s. dont care about ip, it is just a tor exit)

185.220.101.22 - - [17/Oct/2018:18:56:52 +0200] "GET /feed.xml HTTP/1.1" 200 833 "-" "Liferea/1.12.5a (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
185.220.101.22 - - [17/Oct/2018:18:56:53 +0200] "GET / HTTP/1.1" 200 653 "-" "Liferea/1.12.5a (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
185.220.101.22 - - [17/Oct/2018:18:56:54 +0200] "GET /favicon.ico HTTP/1.1" 404 409 "-" "Liferea/1.12.5a (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
185.220.101.22 - - [17/Oct/2018:18:56:54 +0200] "GET /favicon.ico HTTP/1.1" 404 409 "-" "Liferea/1.12.5a (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
185.220.101.22 - - [17/Oct/2018:18:56:55 +0200] "GET /favicon.ico HTTP/1.1" 404 409 "-" "Liferea/1.12.5a (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"

I don't what any connections to any other server expect the tt-rss instance while using tt-rss as a source.

[Perflyst]

@lwindolf is that what you wanted? Can I help you in any other way?

[lwindolf]

@Perflyst Yes, exactly this. I just need to find time for debugging this :-(

[Perflyst]

One question: Can I disable the connection to the feeds completely? I do not even need the favicon.

[qazip]

It seems that the favicons are requested everytime there is a "update feeds" request? It would be nice if one could disable favicons or, at the very least, if a favicon already exists, do not request a new one for X time.

[gsantner]

Noticed this too and for me this is a big privacy issue. I explicitly host tt-rss on a external host to NOT let all 100 feed's servers at same time know my personal device current IP (and thus tracking).

[poetsmeniet]

@lwindolf is anyone working on this? I could pick it up

[lwindolf]

@poetsmeniet Nope. I want to address this, but don't have time. Would be great if you could work on it!!!

[poetsmeniet]

@lwindolf cool! I will have a look and see if I can come up with some solutions..

[poetsmeniet]

Hi guys :)

I managed to put a little time into this issue and am now able to reproduce the issue.. need to find more time though to dig into the code.

[poetsmeniet]

@lwindolf Lars, where do I turn on verbose debugging?

[poetsmeniet]

I am trying to reproduce the privacy issue. I have set up ttrss on server 1, server 2 is hosting feeds. I added these feeds to ttrss and then added the ttrss feed to Liferea.

On updating, the favicon procedure is called, there are 6 different methods that are possible, and visible in the server 1 access log (but not in server 2).

Note: only the first method could possibly be a privacy issue, as it would parse the icon element in the feed. If this icon element pointed externally.. The latest rolling release of ttrss does not publish said icon element.

So.. My Liferea instance's favicon is updated with the logo of ttrss, not of the feed itself. I can't seem to reproduce the privacy issue.

@Perflyst: can you get me the feed you used? That might help in finding the issue

[Perflyst]

I bumped it up again: https://rss.perflyst.de/feed.xml TinyTinyRSS is on latest master, Liferea is 1.12.6 from GitHub compiled.

# add feed via tt-rss web front end
XX1 - - [29/Jan/2019:18:36:14 +0100] "GET /feed.xml HTTP/1.1" 200 777 "-" "Tiny Tiny RSS/18.12 (c7c9c5f) (http://tt-rss.org/)"
XX1 - - [29/Jan/2019:18:36:14 +0100] "GET /feed.xml HTTP/1.1" 200 777 "-" "Tiny Tiny RSS/18.12 (c7c9c5f) (http://tt-rss.org/)"
# open liferea and refresh
XX - - [29/Jan/2019:18:36:45 +0100] "GET /feed.xml HTTP/1.1" 200 833 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
XX - - [29/Jan/2019:18:36:47 +0100] "GET / HTTP/1.1" 200 654 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
XX - - [29/Jan/2019:18:36:48 +0100] "GET /favicon.ico HTTP/1.1" 404 410 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
XX - - [29/Jan/2019:18:36:49 +0100] "GET /favicon.ico HTTP/1.1" 404 410 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
XX - - [29/Jan/2019:18:36:51 +0100] "GET /favicon.ico HTTP/1.1" 404 410 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"

[Perflyst]

I kept the log file enabled and it seems like Liferea only does these connections on the inital startup of Liferea and not on the next pulls from tt-rss. It is always the same requests

XX - - [30/Jan/2019:19:43:53 +0100] "GET /feed.xml HTTP/1.1" 200 833 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
XX - - [30/Jan/2019:19:43:54 +0100] "GET / HTTP/1.1" 200 704 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
XX - - [30/Jan/2019:19:43:56 +0100] "GET /favicon.ico HTTP/1.1" 404 410 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
XX - - [30/Jan/2019:19:43:58 +0100] "GET /favicon.ico HTTP/1.1" 404 410 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"
XX - - [30/Jan/2019:19:43:59 +0100] "GET /favicon.ico HTTP/1.1" 404 410 "-" "Liferea/1.12.6 (Linux; https://lzone.de/liferea/) AppleWebKit (KHTML, like Gecko)"

[poetsmeniet]

@Perflyst sorry I was busy with my day job.. could you post the feed contents again? I want to check out the source

[Perflyst]

Sorry, I linked https:// which was never available. There you go, http://rss.perflyst.de/feed.xml

/edit: I also deployed with ssl now, https://rss.perflyst.de/feed.xml

[poetsmeniet]

@Perflyst I am afraid I can't reproduce this issue. My setup works just as it should. I also see the favicon requests in the logs, but not on the feed server but on the ttrss server.. so that is fine. Also I don't see liferea getting the feed.xml file..

If you export your feed list in liferea, how many items do you have there? These items should only point to your ttrss server, something like: https://www.yourttrssfeedserver.com/tinytiny/public.php?op=rss&id=18&key=r3wix75c4d3bhcc5cec

[Perflyst]

Uhm, if I export via "Subscriptions" -> "Export Feed List" I get

<?xml version="1.0"?>
<opml version="1.0">
  <head>
    <title>Liferea Feed List Export</title>
  </head>
  <body/>
</opml>

[poetsmeniet]

That is unexpected.. :-P you have feed items coming in though?

[poetsmeniet]

@Perflyst Can you check out your ~/.local/share/liferea/liferea.db? It is a sqlite file, look for any references to feed.xml there..

[Perflyst]

$ cat liferea.db | grep feed.xml
Binary file (standard input) matches

It is listed there, yes. There are also all other feeds I have subscribed via tt-rss.

[Perflyst]

I tested this in a new virtual machine, with latest liferea release from github. Same behaviour. Also started with --debug-trace just shows feedlist_auto_update, favicon_download_run and itemlist_merge_itemset, so nothing special.

[poetsmeniet]

Ok dude, let me contact you on xmpp for the details.. don't know when I will have the time, but I will be in touch

[lwindolf]

I decided to prevent the possibility entirely in the code. With fd0afaf8 favicons are always fetched without credentials. This might break a few border use cases where an authenticated feeds website does not provide its own favicon without basic auth, but this usually should not be the case as there is always a login page which has the favicon without auth.

So better safe then sorry. With this I consider the issue dealt with.