internet-bugs

A bug tracker for the Internet: protocols, software and policy

2 years after

This is a prototype list of bugs in the Internet which need to be fixed.

Protocols

  • [ ] TLS connections leak hostnames. This needs to be fixed in both DNS and TLS/SNI.
  • [ ] Even though they may no longer contain MAC addresses, IPv6 addresses default to being unique identifiers for {device, location} pairs. This needs to be fixed in DHCP and in ISPs' address allocation practices, for instance by assigning addresses to customers at different randomly selected prefix depths.

Browsers

Webservers

Mobile Operating Systems

  • [ ] App permission models are lacking essential, obvious protections, including
    • The ability to deny an app Internet access
    • The ability to prohibit the app from identifying the user (phone number / email / accounts etc)
    • The ability to prohibit the app from retaining any unqiue persistent state
  • [ ] Numerous instances of maniupulative privacy UI in iOS and Android
    • iOS lacks a convenient toggle for location services, and displays layers of strange red warnings when the user dives into the menus to (temporarily) disable it
    • Google Maps on iOS logs the user in by default (!!!) and then makes numerous dubious statements ("you're missing out", etc) to try to get the user to log in.

Desktop Operating systems

App stores

  • [ ] The Apple Store censors a wide range of app types (wildly exacerbated by Apple prohibiting alternative app stores, and making sideloading impossible for regular users)
  • [ ] Google's Play Store censors essential privacy apps such as Disconnect (as well as adblockers like Adblock Plus)
  • [ ] App stores do not cleanly expose version histories, hashes, and raw apps for security auditing purposes.
  • [ ] the Apple Store prohibits most free/open source code from being included in apps

Major Web Services

  • [ ] Manipulative UI: Google tries har to manipulate users into enabling Web History, undermining the weak 18 month search history blurring in Google's privacy policy.

Laws

Related Repositories

ka-lite

ka-lite

KA Lite: lightweight web server for serving core Khan Academy content (videos an ...

bitmask_client

bitmask_client

Desktop client application for the LEAP platform, supporting Encrypted Internet ...

ngircd

ngircd

Free, portable and lightweight Internet Relay Chat server ...

internet-sensors

internet-sensors

connecting Internet API's to Max/MSP ...

sentinel

sentinel

Sentinel is a command line tool able to protect Windows 32 bit programs against ...