Liferea privacy/security queries

12 replies [Last post]
biosprob
Offline
Joined: 10/10/2015

As a newb, I don't know how to check for this sort of thing, so if someone could inform me how that would be much appreciated:

I use Liferea to keep up to date with a few different sites and it dawned on me that I don't know how it is able to load pages within its console. Does liferea connect to pages through https? That it's connecting to websites,doesn't that mean it is doing so without any script-blockers, ad-blockers etc. that I use in my browser?

I use liferea to update me of any changes, and I right click on the links and open in an external browser.

Is this not "leaking" identifiable information?

How do I go about viewing what information is being exchanged between Liferea and the subscribed sites?

onpon4
Offline
Joined: 05/30/2012

Whether the connection is secure would depend on the server you're getting information from. It's nothing to do with Liferea specifically. If the URL starts with "https", it's encrypted. If it starts with "http", it's not. This is true of Web browsers, too.

But note that the actual information in feeds is usually public. What would matter the most to a snooper is metadata: what feeds you're following, specifically. Encrypting a connection does nothing to prevent this kind of snooping. You need to use Tor to protect your anonymity: route your requests through proxies to obfuscate the location you're requesting information from. Whether the hassle of setting up Liferea to route through Tor properly is worth it is up to you. The easiest way to get that working is through Tails. (Tails is not a libre distro, I should note; it contains proprietary firmware blobs. But if you have a computer that doesn't have any hardware needing proprietary firmware like one of Think Penguin's computers, that firmware obviously won't run.)

biosprob
Offline
Joined: 10/10/2015

Ok so I can assume that trackers are able to obtain information through ads and other scripts regardless of whether its connected by https or not, as these are not blocked by any means in Liferea.

I might see about routing it through Tor. I might also consider a VPN.

onpon4
Offline
Joined: 05/30/2012

Ads? I haven't seen any case of RSS or Atom feeds containing ads. Also, I don't know if scripts are even technically possible, but if they are, they are very unusual. Keep in mind that an RSS or Atom feed is nothing more than an XML file which is checked periodically. Other than tracking the fact that you checked that XML file, the only other way I can think of is through images linked to from the description (and this is one unfortunate privacy shortcoming in Liferea; it really ought to do what email clients do, only load the images when you click a button or something).

Discounting images, an attacker would have to go through your ISP, through the party sending you the information, or by intercepting a transmission (like a WiFi signal) somewhere.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Indeed. However, Liferea has a built-in browser that can interpret JavaScript. That feature can be disabled from the related tab in Tools/Preferences.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Indeed. However, Liferea has a built-in browser that can interpret
JavaScript. That feature can be disabled from the related tab in
Tools/Preferences.

onpon4
Offline
Joined: 05/30/2012

Ads? I haven't seen any case of RSS or Atom feeds containing ads. Also, I
don't know if scripts are even technically possible, but if they are, they
are very unusual. Keep in mind that an RSS or Atom feed is nothing more than
an XML file which is checked periodically. Other than tracking the fact that
you checked that XML file, the only other way I can think of is through
images linked to from the description (and this is one unfortunate privacy
shortcoming in Liferea; it really ought to do what email clients do, only
load the images when you click a button or something).

Discounting images, an attacker would have to go through your ISP, through
the party sending you the information, or by intercepting a transmission
(like a WiFi signal) somewhere.

biosprob
Offline
Joined: 10/10/2015

Ok so I can assume that trackers are able to obtain information through ads
and other scripts regardless of whether its connected by https or not, as
these are not blocked by any means in Liferea.

I might see about routing it through Tor. I might also consider a VPN.

northernarcher
Offline
Joined: 12/24/2014

If you can, make it connect through Tor.

biosprob
Offline
Joined: 10/10/2015

As a newb, I don't know how to check for this sort of thing, so if someone
could inform me how that would be much appreciated:

I use Liferea to keep up to date with a few different sites and it dawned on
me that I don't know how it is able to load pages within its console. Does
liferea connect to pages through https? That it's connecting to
websites,doesn't that mean it is doing so without any script-blockers,
ad-blockers etc. that I use in my browser?

I use liferea to update me of any changes, and I right click on the links and
open in an external browser.

Is this not "leaking" identifiable information?

How do I go about viewing what information is being exchanged between Liferea
and the subscribed sites?

onpon4
Offline
Joined: 05/30/2012

Whether the connection is secure would depend on the server you're getting
information from. It's nothing to do with Liferea specifically. If the URL
starts with "https", it's encrypted. If it starts with "http", it's not. This
is true of Web browsers, too.

But note that the actual information in feeds is usually public. What would
matter the most to a snooper is metadata: what feeds you're following,
specifically. Encrypting a connection does nothing to prevent this kind of
snooping. You need to use Tor to protect your anonymity: route your requests
through proxies to obfuscate the location you're requesting information from.
Whether the hassle of setting up Liferea to route through Tor properly is
worth it is up to you. The easiest way to get that working is through Tails.
(Tails is not a libre distro, I should note; it contains proprietary firmware
blobs. But if you have a computer that doesn't have any hardware needing
proprietary firmware like one of Think Penguin's computers, that firmware
obviously won't run.)

northernarcher
Offline
Joined: 12/24/2014

If you can, make it connect through Tor.

Jane
Offline
Joined: 09/02/2014

How should we configure Liferea in Trisquel so that it connects through Tor?