Persei08
commented
4 years ago 1178 should disable request to myip.ht if "Enable VPN" option is unticked.
Maybe enough or not for users, but a step in the right direction i guess
Closed CerxMe closed 3 years ago
Persei08
commented
4 years ago Maybe enough or not for users, but a step in the right direction i guess
jonas-sk
commented
4 years ago I think it's fine if you advertise a VPN but it would be better to maybe remove that "everyone can track you part by actually tracking you right now" part
kousu
commented
4 years ago I don't think it's fine to add in adware like this, and especially not to hide it in a commit called "Various fix".
For posterity, here's CerxMe's screenshot archived here, which displays when loading every piece:
kousu
commented
4 years ago The website also pushes same VPN server. For example, when downloading the Windows app at https://get.popcorntime.app/build/Popcorn-Time-0.4.1-win64-Setup.exe instead of an .exe you get a webpage that pops up
before directing to the real download link http://mirror{01,02,03,04,05,06}.popcorntime.app/build/Popcorn-Time-0.4.1-win64-Setup.exe.
I know you're putting in a lot of work for this but can't you like put up a Flattr or a Liberapay or a Patreon instead of hooking up with some hella shady proxy site?
team-pct
commented
4 years ago I do not understand your issue here ? @kousu adware? The code is opensource can you show us the line where you see adware? also for VPN or Flattr or Liberapay or Patreon you can always skip that or disable
kousu
commented
4 years ago You put ads for vpn.ht on your website, and in the app 12 days ago here:
in a commit innocuously called "Revamp app", and added the UI screenshotted above here
in the also innocuous "Various fix" commit.
Presumably at the same time, this blog post calling themselves the "Popcorntime VPN" (mirror1, mirror2) went up on their site. This is really shady.
kousu
commented
4 years ago Are you trying to cash in on coronavirus? Because everyone is stuck at home with nothing to do?
kousu
commented
4 years ago My Liberapay suggestion was meant to ask you to add a donation link if you want to monetize your work rather than recommending a VPN partner and, as @CerxMe pointed out, weakening your own security in the process.
team-pct
commented
4 years ago @kousu you should revise your meaning of Ad ware ... asa in the end you should just disable that in the settings for those who dont need VPN
team-pct
commented
4 years ago Are you trying to cash in on coronavirus? Because everyone is stuck at home with nothing to do?
Trying to cash IN ? we are not trying to cash IN for that we could put ads everywhere even on the video player and we will cash alot so please stop talking about something you cant understand , if VPN bother you just disable it from Settings
team-pct
commented
4 years ago @CerxMe API is sponsored and hosted by VPN.ht long time before myip.ht ( VPN.ht too )
Julianoe
commented
4 years ago I come to add to the discution. I'm sure a lot of users would be keen to donate to the team for their effort on the software.. but this, leaking my personal data, my IP, to who the fuck knows while advertising for "better privacy" : what a fucking joke of an update.
team-pct
commented
4 years ago I come to add to the discution. I'm sure a lot of users would be keen to donate to the team for their effort on the software.. but this, leaking my personal data, my IP, to who the fuck knows while advertising for "better privacy" : what a fucking joke of an update.
Go to settings and disable VPN @Julianoe
Sapd
commented
4 years ago @team-pct Why is the VPN setting not unticked by default? So users can tick it if they want to share their data.
team-pct
commented
4 years ago @team-pct Why is the VPN setting not unticked by default? So users can tick it if they want to share their data.
API is sponsored and hosted by VPN.ht long time before myip.ht ( VPN.ht too ) So i do not understand what y ou mean by share their data , if they wanted use your data they could just use the api usage ...
sielicki
commented
4 years ago I don't think (reasonable) people are/should be upset about you including advertisements for a VPN service, especially when that VPN service donates infrastructure for the project. This application is open source and it's trivial to fork and remove it.
I do think that people have a right to be somewhat annoyed about the way in which the VPN integration is presented ("Connection Not Secured" instead of "You might be insecure", with a link to that particular provider and no clear mention of sponsorship.) The messaging is just a little aggressive.
yasiupl
commented
4 years ago Please remove the current advertising and work on a better, non-shady way to support the infrastructure partner. The fear-mongering around displaying user IP and telling them it's insecure is absolutely the worst.
Good way to approach this would be to have an option for the user to set-up any VPN, with VPN.ht being the recommended default.
yasiupl
commented
4 years ago This is not to mention that the reliance on VPN.ht for infrastructure support is probably the weakest part of this project in terms of security. The same arguments apply as laid out in the OP.
yasiupl
commented
4 years ago @team-pct you realize you can advertise vpn.ht AND do it in a way that doesn't scare away non-technical people? You introduced this change so it's on you to make it right - and until then, the VPN option should be disabled. Please reinstate my pull request.
team-pct
commented
4 years ago @yasiupl come help with Popcorn Time i promise i will find time to make VPN less annoying
Persei08
commented
4 years ago @kousu, i think you're jumping to conclusion too quickly
You said @teampct hid the vpn ad in commits innocuously called "Revamp app" and "Various fix".
If you check the commit history deeper you will find they aren't the first commits with vague titles:
I think there is room for doubting it was really intentional.
You said there is ad for VPN.ht on the website (not sure if you saying it was added 12 days before your comment), but those ads are here since nearly 3 years (this reply from june 2017, already mention it... I even think it was me replying with my previous reddit account).
You speak about this blog post and said it was presumably done at the same time (12 days before your comment, then) It's more than 3 years old. Sort Disqus comments by oldest, you will see the older comment is from December 6, 2016.
I think it needed precisions so people don't falsely think VPN.ht ads appeared everywhere all of the sudden.
Now to everyone, about the security concern and VPN.ht sponsoring the api server. You guys all used popcorntime for years (with the api being already sponsored/hosted by vpn.ht) without thinking to it and now years later, It is a security concern. Well, why now and not years ago ? :astonished:
You guys suggested donations via different services (Flattr, Patreon, Liberapay). How much time it will take before they will block the payments ? Are they similar projects using those services without issue ? Will the donations be enough ? I remember this torrentfreak news saying the bitcoin donation for Pirate Bay were ridicoulous
So at the end, how to really solve this ? Who/What should pay/host the api server ? What is acceptable, what isn't ? I think it will be hard to find a solution which satisfy everyone.
Popcorn Time Version: 4.0
This function is making a request to
https://myip.ht/statusto show your IP address and geo-location data in the interface when a movie is being downloaded.This is a concern from a security standpoint, considering
myip.htis operated by a 3rd party, namely the integrated VPN provider vpn.htBy calling this address every time a user goes to load a movie or a show, this behaviour could be effectively exploited to extrapolate usage data by the 3rd party. Additionally, by parsing the torrent files from PopcornTime's APIs and collecting peer sharing facts, they might also know what you download. I'm not saying they're doing that, but it looks pretty shady.
This behaviour should be removed completely as it poses a risk to user's privacy.