KDE Privacy Sprint, 2019 Edition
From the 22nd to 26th of March, members of the KDE Privacy team met up in Leipzig, Germany, for our Spring 2019 sprint.
During the sprint, we floated a lot of different ideas that sparked plenty of discussions. The notion of privacy encompasses a wide range of topics, technologies and methods, so it is often difficult to decide what to focus on. However, all the aspects we worked on are important. We ended up tackling a variety of issues, and we are confident that our contributions will improve data protection for all users of KDE software.
Both Sandro Knauß and Volker Krause regularly work on KDE's Kontact suite (email, calendar, contacts, etc.), but this time they took on network-related issues. One of the problems is that there are still too many http
links (instead of secure https
links) within our codebase. This is a threat to users' communication, as http
connections - and hence all the messages that travel over them - are unencrypted.
To make it easier for all KDE developers, Sandro and Volker wrote an ECM-injected global unit test. The test gets added to every application and prints out warnings about http
links used in your code. Another script tries to update all the links in your codebase to use https
, but checks beforehand if the https
links would work. For example, sourceforge.org subdomains don't provide a certificate, so the script would ignore those.
Things are further complicated by http
links that are used as identifiers in XML documents, and those links cannot be changed. All of the above exceptions and niche cases are the reason a simple search-and-replace would not work.
When the script ran, many of the links it found were updates of user-facing links that a normal capable browser would "fix" on the fly. However, it also found privacy leaks, as some links were routed through URL shorteners and pastebin services, as well as to default download locations.
Another thing we identified is that, unfortunately, the KDE mirror network is still using http
and the underlying software is not ready to work with https
. This means there is still some work we need to carry out to make mirrorbrain capable of using https
. The website needs a valid certificate, too.
Meanwhile, Ivan Čukić and David Edmundson worked on improving Plasma Vault, KDE's solution for encrypting folders. The aim was to fix the issues that arise when other KDE software components interact with vaults. They made several major improvements:
- vaults can now be opened and closed directly from Dolphin;
- offline vaults force the network to be disconnected as soon as the password entry dialogue is shown;
- and thumbnails are not generated for files in FUSE-encrypted directories unless the thumbnail cache is located in the same encrypted mount.
David and Ivan also spent some time on KWallet, KDE's password manager. In a breakout session, David investigated how to handle KWallet sandboxing, and Ivan explored the possibility of doing elliptic-curve encrypted inter-process communication, which could be useful for handling passwords with KWallet.
Florian Müller looked into using the <a href"https://www.torproject.org/">Tor Browser as the default browser in Plasma. He found that it is mostly blocked, as Tor Browser is started with --no-remote
, which makes it impossible to trigger new tabs from the outside. To solve the problem, Florian filed a patch against torbrowser-launcher
.
The integration of Tor goes way beyond of just using the browser, though. In fact, the team wants all applications to be able to use Tor. To see if this was possible, we picked some applications and worked on configuring their proxy settings. During the testing, we used a .onion
address to make sure that data was correctly sent via the Tor network.
On Monday morning, Jos van den Oever presented a proof-of-concept privacy proxy. The proxy is run by the user, and it intercepts all web traffic, storing it in a local archive. This proxy makes it possible to revisit parts of the Web even without an Internet connection. Additionally, the proxy can block unwanted content by defining filters.
The presentation was followed by a discussion on how to use such a proxy in KDE software in a user-friendly manner. Jos himself has been using his own proxy privately for a few years, but the code needs to be cleaned up and updated to the current version of Rust libraries before it can be released.
Then again, working for the future is what the Privacy team does most of the time. Gradually, most or all these features (and quite a few more) will make their way into Plasma Desktop and Plasma Mobile, making your desktop and mobile devices a safe environment against data leaks and snooping without sacrificing functionality.