[Pkg-chromium-maint] Bug#792580: chromium: Chromium calls home even in incognito mode with safe browsing turned off

Antoine Beaupré anarcat at debian.org
Sun Jan 10 01:35:48 UTC 2016

Package: chromium
Version: 47.0.2526.80-1~deb8u1
Followup-For: Bug #792580

Here what i see is no mere "phone home" checkin to see if extensions
are up to date or anything. It's nothing less than a freaking phone
home on Google Analytics (GA), nothing less.

I have a bunch of tabs opened here, when i start chromium,
granted. But all are "asleep" behind the "great suspender" so they
should not generate traffic (and especially not to GA).

Here's what i see in chrome://net-internals/#sockets:

Name	Pending	Top Priority	Active	Idle	Connect Jobs	Backup Timer	Stalled
www.google-analytics.com:80	0	-	0	1	0	stopped	false

Wireshark sees this as:

127	21.559852	HTTP	928	GET /__utm.gif?utmwv=5.6.7&utms=8&utmn=42047337&utmhn=nebplchpdbfejpjpffmngpaboaidelmk&utme=8(version*image_preview*suspend_time*no_nag)9(6.21*false%3A%20false*60*false)11(1*1*1*1)&utmcs=UTF-8&utmsr=1366x768&utmsc=24-bit&utmul=fr&utmje=0&utmfl=-&utmhid=1926769012&utmr=-&utmp=%2F_generated_background_page.html&utmht=1452388370461&utmac=UA-52338347-1&utmcc=__utma%3D138943276.1857984708.1450798966.1451743272.1452387429.4%3B%2B__utmz%3D138943276.1450798966.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=qQAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1 

this can show up as "clients.l.google.com" as well:

GET /__utm.gif?utmwv=5.6.7&utms=8&utmn=42047337&utmhn=nebplchpdbfejpjpffmngpaboaidelmk&utme=8(version*image_preview*suspend_time*no_nag)9(6.21*false%3A%20false*60*false)11(1*1*1*1)&utmcs=UTF-8&utmsr=1366x768&utmsc=24-bit&utmul=fr&utmje=0&utmfl=-&utmhid=1926769012&utmr=-&utmp=%2F_generated_background_page.html&utmht=1452388370461&utmac=UA-52338347-1&utmcc=__utma%3D138943276.1857984708.1450798966.1451743272.1452387429.4%3B%2B__utmz%3D138943276.1450798966.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=qQAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1
Host: www.google-analytics.com
Connection: keep-alive
Accept: image/webp,image/*,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Wed, 16 Dec 2015 07:48:49 GMT
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
Age: 2136248
Cache-Control: no-cache, no-store, must-revalidate
Connection: keep-alive


admire how chromium dutifully sends the futile and pathetic DNT
header. I'm sure that does great for google's analytics. i am probably
in the special "Do Really Track Those" bucket now.

wtf. seriously.

oh, and SSLKEYLOG was mentionned before, it's actually SSLKEYLOGFILE,
and i can't make wireshark load it: even after pointing to it in the
SSL preferences, SSL traffic is not decrypted - the above is only what
i found on port 80.

Heck, i even see traffic to stats.l.doubleclick.net, satan in person!
oh the memories and joy... should i bring back the /etc/hosts file?

note that i have both uBlock and uMatrix enabled here, none of which
catch the snitch.

shouldn't this be treated as a security issue?

pretty amazing.

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages chromium depends on:
ii  libasound2           1.0.28-1
ii  libatk1.0-0          2.14.0-1
ii  libc6                2.19-18+deb8u1
ii  libcairo2            1.14.0-2.1
ii  libcups2             1.7.5-11+deb8u1
ii  libdbus-1-3          1.8.20-0+deb8u1
ii  libexpat1            2.1.0-6+deb8u1
ii  libfontconfig1       2.11.0-6.3
ii  libfreetype6         2.5.2-3+deb8u1
ii  libgcc1              1:4.9.2-10
ii  libgdk-pixbuf2.0-0   2.31.1-2+deb8u4
ii  libglib2.0-0         2.42.1-1
ii  libgnome-keyring0    3.12.0-1+b1
ii  libgtk2.0-0          2.24.25-3
ii  libjpeg62-turbo      1:1.3.1-12
ii  libnspr4             2:4.10.7-1+deb8u1
ii  libnspr4-0d          2:4.10.7-1+deb8u1
ii  libnss3              2:3.17.2-1.1+deb8u2
ii  libnss3-1d           2:3.17.2-1.1+deb8u2
ii  libpango-1.0-0       1.36.8-3
ii  libpangocairo-1.0-0  1.36.8-3
ii  libpci3              1:3.2.1-3
ii  libspeechd2          0.8-7
ii  libsrtp0             1.4.5~20130609~dfsg-1.1
ii  libstdc++6           4.9.2-10
ii  libx11-6             2:1.6.2-3
ii  libxcomposite1       1:0.4.4-1
ii  libxcursor1          1:1.1.14-1+b1
ii  libxdamage1          1:1.1.4-2+b1
ii  libxext6             2:1.3.3-1
ii  libxfixes3           1:5.0.1-2+b2
ii  libxi6               2:1.7.4-1+b2
ii  libxml2              2.9.1+dfsg1-5+deb8u1
ii  libxrandr2           2:1.4.2-1+b1
ii  libxrender1          1:0.9.8-1+b1
ii  libxslt1.1           1.1.28-2+b2
ii  libxss1              1:1.2.2-1
ii  libxtst6             2:1.2.2-1+b1
ii  x11-utils            7.7+2
ii  xdg-utils            1.1.0~rc1+git20111210-7.4

chromium recommends no packages.

Versions of packages chromium suggests:
ii  chromium-inspector  47.0.2526.80-1~deb8u1
ii  chromium-l10n       47.0.2526.80-1~deb8u1

-- no debconf information

More information about the Pkg-chromium-maint mailing list