[Pkg-chromium-maint] Bug#792580: chromium: Chromium calls home even in incognito mode with safe browsing turned off
Antoine Beaupré
anarcat at debian.org
Sun Jan 10 01:35:48 UTC 2016
Package: chromium
Version: 47.0.2526.80-1~deb8u1
Followup-For: Bug #792580
Here what i see is no mere "phone home" checkin to see if extensions
are up to date or anything. It's nothing less than a freaking phone
home on Google Analytics (GA), nothing less.
I have a bunch of tabs opened here, when i start chromium,
granted. But all are "asleep" behind the "great suspender" so they
should not generate traffic (and especially not to GA).
Here's what i see in chrome://net-internals/#sockets:
transport_socket_pool
Name Pending Top Priority Active Idle Connect Jobs Backup Timer Stalled
www.google-analytics.com:80 0 - 0 1 0 stopped false
Wireshark sees this as:
127 21.559852 192.168.1.227 207.219.213.57 HTTP 928 GET /__utm.gif?utmwv=5.6.7&utms=8&utmn=42047337&utmhn=nebplchpdbfejpjpffmngpaboaidelmk&utme=8(version*image_preview*suspend_time*no_nag)9(6.21*false%3A%20false*60*false)11(1*1*1*1)&utmcs=UTF-8&utmsr=1366x768&utmsc=24-bit&utmul=fr&utmje=0&utmfl=-&utmhid=1926769012&utmr=-&utmp=%2F_generated_background_page.html&utmht=1452388370461&utmac=UA-52338347-1&utmcc=__utma%3D138943276.1857984708.1450798966.1451743272.1452387429.4%3B%2B__utmz%3D138943276.1450798966.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=qQAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1
this can show up as "clients.l.google.com" as well:
GET /__utm.gif?utmwv=5.6.7&utms=8&utmn=42047337&utmhn=nebplchpdbfejpjpffmngpaboaidelmk&utme=8(version*image_preview*suspend_time*no_nag)9(6.21*false%3A%20false*60*false)11(1*1*1*1)&utmcs=UTF-8&utmsr=1366x768&utmsc=24-bit&utmul=fr&utmje=0&utmfl=-&utmhid=1926769012&utmr=-&utmp=%2F_generated_background_page.html&utmht=1452388370461&utmac=UA-52338347-1&utmcc=__utma%3D138943276.1857984708.1450798966.1451743272.1452387429.4%3B%2B__utmz%3D138943276.1450798966.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=qQAAAAAAAAAAAAAAAAAAAAAE~ HTTP/1.1
Host: www.google-analytics.com
Connection: keep-alive
Accept: image/webp,image/*,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Wed, 16 Dec 2015 07:48:49 GMT
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
Age: 2136248
Cache-Control: no-cache, no-store, must-revalidate
Connection: keep-alive
GIF89a.............,...........D..;
admire how chromium dutifully sends the futile and pathetic DNT
header. I'm sure that does great for google's analytics. i am probably
in the special "Do Really Track Those" bucket now.
wtf. seriously.
oh, and SSLKEYLOG was mentionned before, it's actually SSLKEYLOGFILE,
and i can't make wireshark load it: even after pointing to it in the
SSL preferences, SSL traffic is not decrypted - the above is only what
i found on port 80.
Heck, i even see traffic to stats.l.doubleclick.net, satan in person!
oh the memories and joy... should i bring back the /etc/hosts file?
note that i have both uBlock and uMatrix enabled here, none of which
catch the snitch.
shouldn't this be treated as a security issue?
pretty amazing.
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (500, 'oldstable'), (1, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages chromium depends on:
ii libasound2 1.0.28-1
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-18+deb8u1
ii libcairo2 1.14.0-2.1
ii libcups2 1.7.5-11+deb8u1
ii libdbus-1-3 1.8.20-0+deb8u1
ii libexpat1 2.1.0-6+deb8u1
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-3+deb8u1
ii libgcc1 1:4.9.2-10
ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u4
ii libglib2.0-0 2.42.1-1
ii libgnome-keyring0 3.12.0-1+b1
ii libgtk2.0-0 2.24.25-3
ii libjpeg62-turbo 1:1.3.1-12
ii libnspr4 2:4.10.7-1+deb8u1
ii libnspr4-0d 2:4.10.7-1+deb8u1
ii libnss3 2:3.17.2-1.1+deb8u2
ii libnss3-1d 2:3.17.2-1.1+deb8u2
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-0 1.36.8-3
ii libpci3 1:3.2.1-3
ii libspeechd2 0.8-7
ii libsrtp0 1.4.5~20130609~dfsg-1.1
ii libstdc++6 4.9.2-10
ii libx11-6 2:1.6.2-3
ii libxcomposite1 1:0.4.4-1
ii libxcursor1 1:1.1.14-1+b1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxi6 2:1.7.4-1+b2
ii libxml2 2.9.1+dfsg1-5+deb8u1
ii libxrandr2 2:1.4.2-1+b1
ii libxrender1 1:0.9.8-1+b1
ii libxslt1.1 1.1.28-2+b2
ii libxss1 1:1.2.2-1
ii libxtst6 2:1.2.2-1+b1
ii x11-utils 7.7+2
ii xdg-utils 1.1.0~rc1+git20111210-7.4
chromium recommends no packages.
Versions of packages chromium suggests:
ii chromium-inspector 47.0.2526.80-1~deb8u1
ii chromium-l10n 47.0.2526.80-1~deb8u1
-- no debconf information
More information about the Pkg-chromium-maint
mailing list