Feature #16381
Investigate the outgoing network connections of Etcher
10%
Description
It looks like Etcher / Balena now shows users advertisements.. :(((((
https://github.com/balena-io/etcher/issues/2599
Also reported here: https://www.nextinpact.com/news/107525-tails-3-12-fait-evoluer-sa-methode-dinstallation-quels-changements-concrets.htm (credentials available via Tails press team).
I think we need to investigate this and eventually change tools :(
(:sajolida: wants to track this)
Subtasks
Related issues
Related to Tails - |
In Progress | 2017-08-24 | |
Related to Tails - Feature #16553: Consider using Rawrite32 to install from Windows | In Progress | 2019-03-13 | |
Related to Tails - Feature #17498: Test usbimager | Confirmed |
History
#1 Updated by sajolida 2019-01-28 18:45:35
- Target version changed from Tails_3.12 to Tails_3.13
#2 Updated by sajolida 2019-01-31 11:38:04
- Assignee deleted (
sajolida) - QA Check set to Info Needed
- Type of work changed from Research to Discuss
geb sent me a picture of Etcher displaying an ad while doing the copy to the USB stick.
We decided to go for Etcher because it was the only viable solution, especially on macOS.
I don’t think that Etcher displaying ads is a problem in itself. Do you?
We also use DuckDuckGo as our default search engine and they also have a business model based on advertizing…
#3 Updated by Anonymous 2019-02-03 13:55:59
- Assignee set to sajolida
- QA Check deleted (
Info Needed)
Besides advertisement as a means of financing, I think there are two problems with this:
- It seems to influence UX by distracting users. The developers promise to redesign this in the next versions. Let’s hope they do and then this concern would be solved.
- According to the above mentioned bug report these ads result in outgoing connections that a user might not have agreed to. I find this a tiny bit more concerning, as every time you run Etcher, this will result in some tracking somewhere. I’m not sure this is something we want to be associated with.
#4 Updated by sajolida 2019-02-04 10:53:46
- Assignee deleted (
sajolida)
> It seems to influence UX by distracting users.
The screenshop I saw was showing ads while burning the image, so I’m not really concerned about distracting users at this point. I haven’t seen them myself but I will next time I test Etcher on macOS.
Regarding background online activity, did you check the Internet traffic generated by these ads? How does it look like?
#5 Updated by Anonymous 2019-02-04 13:14:18
I have not checked it myself, but I’ve asked upstream about it on their bugtracker.
#6 Updated by intrigeri 2019-02-05 12:01:33
> Regarding background online activity, did you check the Internet traffic generated by these ads? How does it look like?
In particular, it would be concerning if this activity included info about the image being installed as this would leak to 3rd-parties the fact someone is installing Tails from a given IP.
#7 Updated by sajolida 2019-02-06 08:52:08
If you think that investigating this should be part of UX core work, please mark it as blocking Feature #16080. But it’s not clear to me who’s responsability it is to investigate this further.
#8 Updated by intrigeri 2019-02-06 10:42:24
> If you think that investigating this should be part of UX core work, please mark it as blocking Feature #16080. But it’s not clear to me who’s responsability it is to investigate this further.
It’s not clear to me either, given the decision to use Etcher was made before this specific problem appeared. However, my analysis below shows that a much more pervasive class of privacy and security problems were there right from the beginning, so it seems that we missed a step in our decision making: evaluating Etcher’s source code from a privacy/security PoV. Anyway, my time machine is broken so let’s deal with the consequences and try to learn from this experience (bigger organizations have a security team that has to vouch for any new tool that’s chosen; we have none; but we could at least add this to our grant/project building checklist?).
Investigating could qualify as maintaining the IA or as FT work, perhaps depending on the needed skills. Lots of code reading is needed so let’s call the initial analysis FT work.
I took a look at the source code. Keep in mind that the app is built from dozens of NPM (nodejs) dependencies that are not in the source tree; my analysis does not cover them and any of those could do include random tracking (aka. “analytics” these days) code.
Etcher is an Electron app, i.e. essentially a glorified webapp wrapped in a window; this is a rather common way to build a cross-platform app these days. It’s GUI is made of HTML + JS. Some of it is shipped in the app itself, some of it is dynamically fetched from balena.io at run time. So we clearly can’t even try to protect against “Balena knows that someone is using Etcher from $IP”. I did not check whether the web content retrieved at run time can inject arbitrary JS which could itself include tracking code.
The analytics
modules fetches its config over plaintext HTTP (and is then redirected to HTTPS but that’s too late). It uses mixpanel.com. I’m not sure I understood the code correctly but at first glance it seems that at least errors (and possibly more) will be reported there. So basically, an active MitM could have users report to an URL chosen by the attacker. “Interesting”.
Some of the outgoing HTTP requests include the Etcher version as a parameter. External modules, which I did not inspect, are used to perform HTTP requests.
The ads seem to be fetched from https://assets.balena.io/etcher-featured/index.html. I did not try to decipher the obfuscated/minified JS found there but at the very least, it seems to report to Google Analytics.
I’m stopping here. tl;dr is: Etcher is definitely not behaving as one would expect a privacy-friendly local app would. It’s behaving more like any random modern website, including all kinds of tracking technologies. Fixing this would require major changes so that’s unlikely to happen. It’s non-trivial to check whether the code reports to Balena or random third parties (such as Google, Mixpanel) what image is being installed; and even if we did this audit work now, our results would be invalidated by every new Etcher release. So it seems we have two options:
- Keep recommending Etcher and:
- Set the user’s expectations in a way that matches Etcher’s behavior. That’s UX, tech writing, and website integration work.
- Fix the worst issues such as fetching config over plaintext HTTP.
- Switch to another tool, that’s built with technologies that haven’t all these privacy and security problems. I’m not very hopeful there’s anything else suitable around but perhaps the landscape has changed since last time we checked.
I don’t think that “stick to an older version of Etcher” is a suitable option: this would be dangerous (given how Etcher does its job, we do need to ship security updates to users) and I think Etcher will ask users to upgrade anyway.
#9 Updated by Anonymous 2019-02-06 11:02:29
@intrigeri <3 thanks for analyzing this! We could for now discuss collectively what to do about that. I agree we have few options:
- writing documentation (as proposed above by intrigeri)
- reinvestigate the tool landscape and worst case use a different tool between macOS and Windows.
- we could report about the obvious problems (HTTP → HTTPS) on the upstream bugtracker and see what comes out of it (I don’t expect much on this front because an app built without privacy in mind would need to undergo substantial code changes to comply)
#10 Updated by lamby 2019-02-06 13:44:32
(Can someone post a screenshot here?)
#11 Updated by sajolida 2019-02-07 08:04:47
- Description updated
#12 Updated by sajolida 2019-02-07 08:12:18
Does Etcher report anything about the image being burnt?
In other words, is it telling to balena.io and Google:
- “Someone is using Etcher from IP w.x.y.z” or
- “Someone is installing Tails from IP w.x.y.z”
This would make a fundamental difference to me.
#13 Updated by intrigeri 2019-02-07 08:43:35
> Does Etcher report anything about the image being burnt?
As I wrote in my tl;dr above: “It’s non-trivial to check whether the code reports to Balena or random third parties (such as Google, Mixpanel) what image is being installed; and even if we did this audit work now, our results would be invalidated by every new Etcher release”.
#14 Updated by sajolida 2019-02-08 09:24:43
> As I wrote in my tl;dr above: “It’s non-trivial to check whether the code reports to Balena or random third parties (such as Google, Mixpanel) what image is being installed; and even if we did this audit work now, our results would be invalidated by every new Etcher release”.
Sorry I overlooked this.
#15 Updated by intrigeri 2019-02-08 10:53:51
> Sorry I overlooked this.
… and sorry my “tl;dr” was hidden in the middle of a long comment, which kinda defeats the purpose.
#16 Updated by Anonymous 2019-02-21 13:08:52
- Assignee deleted (
)
I won’t be able to handle this. FT?
#17 Updated by intrigeri 2019-02-22 08:03:29
- Status changed from Confirmed to In Progress
- Assignee set to sajolida
- % Done changed from 0 to 10
- QA Check set to Info Needed
I did all I could for now on Feature #16381#note-8, including describing the only two options I could think of. Next step is to decide which ones of these options we want to pursue. Both options will require collaboration between developers (probably FT since it would feel unfair to make this a USB image project deliverable) and UX, tech writers, and web devs.
Personally I think we should first give a try, in the cheapest possible way, to the 2nd option (look for another tool). I know it can’t be super cheap as someone will need to test the tool on Windows and macOS, and if we find a suitable tool, quite some doc will need updating. But if we find such a tool it’ll still be cheaper IMO than the other option.
sajolida, what do you think?
#18 Updated by sajolida 2019-02-22 18:40:30
- Tracker changed from Bug to Feature
- Subject changed from Investigate use of advertisements in latest version of Etcher to Investigate the outgoing network connections of Etcher
- Assignee changed from sajolida to intrigeri
I’m renaming this ticket to be about outgoing network connections, a privacy concern, and not ads in the abstract.
So the privacy concern here is about letting possible adversaries know that someone is installing Tails and, after intrigeri’s analysis, we can’t have guarantees regarding this by the way Etcher uses analytics.
Regarding who could be affected, we’re talking here about people on Windows and macOS. Unless they are using Tor Browser, their ISP already knows they downloaded Tails. Our mirror operator knows this as well. If they are using Chrome (44% of the downloads), we don’t have any guarantees either that Google doesn’t know this already.
But yes, it could make a difference for people willing to be extra careful and downloading Tails from Tor Browser.
From a related upstream issue (https://github.com/balena-io/etcher/issues/2497), I learned that:
- Outgoing connections are not a requirements for all Electron apps.
- There’s a privacy settings in Etcher to disable reporting analytics but it’s buggy right now.
How would we feel if this setting was really cutting out all outgoing analytics and we advertized it to our users?
In the meantime, or additionally, we could ask them to clarify if they know whether the name of the image is reported in their analytics, to which degree of certainty and maybe ask them for a fix or more guarantees. And warning them about the HTTP connections (I didn’t find anything about this on their bug tracker).
Regarding looking for other tools:
- macOS: I tried converting our IMG to DMG for use with the native Disk Utility of macOS. [hdiutil](https://wiki.osdev.org/Hdiutil) happily converts our IMG to DMG but then Disk Utility returns the same error with either of them. This leads me to believe that the problem is not that Disk Utility only works with DMG but that Disk Utility is not happy with the content of it, independently from it’s file format. I have very little hopes for macOS.
- Windows: I tried again Rufus with our disk image. It works! It’s the first time I managed to make Rufus work. The GUI is still quite cryptic but at least it doesn’t seem to require super weird options anymore. Still, there’s a tiny different in the MBR between the IMG and the USB burnt by Rufus. Here is the diff:
+ +-- 27 lines: 00000000 33 c0 fa 8e d8 8e d0 bc 00 7c 89 e6 06 57 8e c0 |3........|.|+ +-- 27 lines: 00000000 33 c0 fa 8e d8 8e d0 bc 00 7c 89 e6 06 57 8e c0 |3........|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | 000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001c0 01 00 ee fe ff ff 01 00 00 00 ff 0f 25 00 00 00 |............%...| | 000001c0 01 00 ee fe ff ff 01 00 00 00 ff 0f 25 00 00 00 |............%...|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | 000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
* | *
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.| | 000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 45 46 49 20 50 41 52 54 00 00 01 00 5c 00 00 00 |EFI PART....\...| | 00000200 45 46 49 20 50 41 52 54 00 00 01 00 5c 00 00 00 |EFI PART....\...|
00000210 52 66 c6 f9 00 00 00 00 01 00 00 00 00 00 00 00 |Rf..............| | 00000210 c5 6e 0b c4 00 00 00 00 01 00 00 00 00 00 00 00 |.n..............|
00000220 ff 0f 25 00 00 00 00 00 22 00 00 00 00 00 00 00 |..%.....".......| | 00000220 ff 7f ce 01 00 00 00 00 22 00 00 00 00 00 00 00 |........".......|
00000230 de 0f 25 00 00 00 00 00 a0 1d b8 17 1e 8b 69 42 |..%...........iB| | 00000230 de 7f ce 01 00 00 00 00 a0 1d b8 17 1e 8b 69 42 |..............iB|
00000240 9c 39 fe 5c 7b 9b 58 a3 02 00 00 00 00 00 00 00 |.9.\{.X.........| | 00000240 9c 39 fe 5c 7b 9b 58 a3 02 00 00 00 00 00 00 00 |.9.\{.X.........|
00000250 80 00 00 00 80 00 00 00 c4 9f b9 1c 00 00 00 00 |................| | 00000250 80 00 00 00 80 00 00 00 c4 9f b9 1c 00 00 00 00 |................|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| | 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
* | *
00000400 28 73 2a c1 1f f8 d2 11 ba 4b 00 a0 c9 3e c9 3b |(s*......K...>.;| | 00000400 28 73 2a c1 1f f8 d2 11 ba 4b 00 a0 c9 3e c9 3b |(s*......K...>.;|
00000410 7a 02 bf 34 01 80 93 4b 82 43 1f 9d 3d ce 7d e7 |z..4...K.C..=.}.| | 00000410 7a 02 bf 34 01 80 93 4b 82 43 1f 9d 3d ce 7d e7 |z..4...K.C..=.}.|
+ +--132714 lines: 00000420 00 08 00 00 00 00 00 00 de 0f 25 00 00 00 00 00 |........|+ +--132714 lines: 00000420 00 08 00 00 00 00 00 00 de 0f 25 00 00 00 00 00 |.......
#19 Updated by intrigeri 2019-02-23 07:27:31
- Assignee changed from intrigeri to sajolida
Hi!
> From a related upstream issue (https://github.com/balena-io/etcher/issues/2497), I learned that:
> * Outgoing connections are not a requirements for all Electron apps.
> * There’s a privacy settings in Etcher to disable reporting analytics but it’s buggy right now.
> How would we feel if this setting was really cutting out all outgoing analytics and we advertized it to our users?
If this was the case and Etcher upstream demonstrated a willingness to take such issues seriously, in a way that makes us confident future versions of Etcher won’t break this assumption again, then I would feel OK with this. After reading quite a few of the other related tickets, my level of confidence in this respect is pretty low, so even once one version of Etcher fixes that, IMO we should still do something in the spirit of “Set the user’s expectations in a way that matches Etcher’s behavior”, i.e. make it clear to our users that Etcher might leak basically any info to a bunch of third-parties (I understand Etcher auto-updates so even if we were ready to check the behavior of the version we self-host whenever we update it, it would not give us strong guarantees).
> Regarding looking for other tools:
> * macOS: […] I have very little hopes for macOS.
Bad news but thanks for (re-re-re-)trying!
> * Windows: I tried again Rufus with our disk image. It works! It’s the first time I managed to make Rufus work. The GUI is still quite cryptic but at least it doesn’t seem to require super weird options anymore.
Good.
> Still, there’s a tiny different in the MBR between the IMG and the USB burnt by Rufus. Here is the diff:
Happy to investigate this if we think it’s an option to recommend Rufus on Windows while still documenting Etcher for macOS. Personally, I have doubts about whether the extra work is worth it: as long as we recommend using Etcher anywhere, we’ll need to do Etcher-specific work anyway.
#20 Updated by sajolida 2019-03-08 08:46:07
Regarding setting the user’s expectations, we could of course
communicate about these privacy issues to people but if I’m a macOS user
and have no other option to install Tails it might not be useful
information anyway. It might also become quite a lengthy and paralyzing
explanation if we don’t want to sound overly scary about Etcher and make
it clear that a bunch of other third-parties might already know that
they are installing Tails unless they are using Tor Browser
(Feature #16381#note-18).
I’m not really convinced by the cost/benefit of such a speech but I
don’t mind giving it a try.
Regarding fixing stuff at Etcher, I’m up for drafting a comment for
https://github.com/balena-io/etcher/issues/2497 on behalf of Tails,
mentioning:
- The fact that we are now recommending Etcher, pointing to the number
of installs of Etcher (I can extra these numbers while onBug #16009). - Who is using Tails in the world and what for, which might raise the
bar in comparison with the previous commenters on this ticket. - That we are considering switching to other tools if we can’t have
stronger guarantees on how to block outgoing connections.
And see if they take the issue more seriously…
> Personally, I have doubts about whether the extra work is worth it: as long as we recommend using Etcher anywhere, we’ll need to do Etcher-specific work anyway.
Before USB image, Windows users were 94% of Windows+macOS download. So
in terms of harm reduction, switching to Rufus might solve this privacy
problem for 94% of the people. This percentage hopefully changed now
that we are distributing USB image and installing on macOS is easier,
I’ll have better number in Bug #16009 but I still expect it to be > 75%.
Regarding the cost of switching to Rufus:
- The UX of Rufus is still quite more complex than Etcher so it will
have a UX cost (that I can’t quantify right now). - We’ll have to rewrite our instructions for Windows.
- We’ll have to investigate why Rufus is writing on the disk something
slightly different than the USB image, see Feature #16381#note-18. - And this time we should do a better security assessment of Rufus
before recommending it.
#21 Updated by sajolida 2019-03-08 08:47:58
- Assignee changed from sajolida to intrigeri
intrigeri:
- Shall I spend time writing about our concerns to Etcher?
- Shall the FT spend time assessing Rufus?
#22 Updated by intrigeri 2019-03-11 09:28:20
- Assignee changed from intrigeri to sajolida
> Regarding setting the user’s expectations, […]
> I’m not really convinced by the cost/benefit of such a speech but I don’t mind giving it a try.
Understood.
> Regarding fixing stuff at Etcher, I’m up for drafting a comment for https://github.com/balena-io/etcher/issues/2497 on behalf of Tails, mentioning: […]
> And see if they take the issue more seriously…
Sounds great.
>> Personally, I have doubts about whether the extra work is worth it: as long as we recommend using Etcher anywhere, we’ll need to do Etcher-specific work anyway.
> Before USB image, Windows users were 94% of Windows+macOS download. So in terms of harm reduction, switching to Rufus might solve this privacy problem for 94% of the people. This percentage hopefully changed now that we are distributing USB image and installing on macOS is easier, I’ll have better number in Bug #16009 but I still expect it to be > 75%.
This is very useful data! I don’t expect our user base will deviate substantially from global market share distribution for desktop OS (82% for Windows, 13% for macOS) so indeed, let’s assume that for the foreseeable future, we’ll always have much more Windows users than macOS users.
> Regarding the cost of switching to Rufus:
That’s quite a lot of work.
> * Shall I spend time writing about our concerns to Etcher?
I think it’s worth you spending a couple hours on the Etcher front to improve things for macOS (long term) and Windows (at least on the short term). But I’ve little hope and hopefully on the mid-term it’ll affect only macOS so with the data you’ve provided in mind, I would suggest you don’t invest too much into this.
> * Shall the FT spend time assessing Rufus?
I think it’s worth spending some time assessing alternatives for Windows. Now, given Rufus does not write the raw disk image as-is even and it’s unclear if it’s part of its core mission, I’m not sure it’s the best tool for the job. I’ve looked for our past survey(s) of available tools and could not find it. Do we have data somewhere that explain why we’ve rejected other tools, such as:
- Win32 Disk Imager (screenshots
- NetBSD’s Rawrite32
- ImageUSB
?
Finally, wrt. Rufus, upstream seems to take privacy concerns seriously: https://github.com/pbatard/rufus/wiki/FAQ#rufus-connects-to-the-internet-but-i-never-allowed-it-to---why :)
#23 Updated by sajolida 2019-03-13 14:27:46
- related to
Feature #14447: Consider using Win32 Disk Imager to install from Windows added
#24 Updated by sajolida 2019-03-13 14:29:01
- related to Feature #16553: Consider using Rawrite32 to install from Windows added
#25 Updated by sajolida 2019-03-13 14:31:45
>> Regarding fixing stuff at Etcher, I’m up for drafting a comment for https://github.com/balena-io/etcher/issues/2497 on behalf of Tails, mentioning: […]
>> And see if they take the issue more seriously…
>
> Sounds great.
Ok, that’s a next step. I’ll do it once I have the data from Bug #16009.
> That’s quite a lot of work.
>
>> * Shall I spend time writing about our concerns to Etcher?
>
> I think it’s worth you spending a couple hours on the Etcher front to improve things for macOS (long term) and Windows (at least on the short term). But I’ve little hope and hopefully on the mid-term it’ll affect only macOS so with the data you’ve provided in mind, I would suggest you don’t invest too much into this.
Yeah, I think that testing their reaction with a comment will be a good
start and then we can reassess.
> I’ve looked for our past survey(s) of available tools and could not find it.
https://tails.boum.org/blueprint/usb_install_and_upgrade/usb_bootable_disk_image/#index4h2
:)
> Do we have data somewhere that explain why we’ve rejected other tools, such as:
>
> * Win32 Disk Imager (screenshots
This one is worth testing again indeed! I reopened Feature #14447.
> * NetBSD’s Rawrite32
Never heard of this one. I’ll test it on Feature #16553.
> * ImageUSB
It seems to be freeware but not free software. I didn’t think this would
be an option, but happy to include it if you think it is. Windows is not
free software either :)
#26 Updated by intrigeri 2019-03-15 16:11:51
>> * ImageUSB
> It seems to be freeware but not free software. I didn’t think this would
> be an option, but happy to include it if you think it is. Windows is not
> free software either :)
Forget this one then. It’s one thing to do with the pre-existing crappy constraints we have no power on (many people use Windows), it’s another thing to encourage folks to install more non-free software.
#27 Updated by sajolida 2019-03-18 11:30:56
- Target version changed from Tails_3.13 to Tails_3.14
#28 Updated by CyrilBrulebois 2019-05-23 21:23:30
- Target version changed from Tails_3.14 to Tails_3.15
#29 Updated by intrigeri 2019-06-02 15:13:27
- QA Check deleted (
Info Needed)
#30 Updated by sajolida 2019-06-03 16:57:05
- blocks
Feature #16080: Core work 2018Q4 → 2019Q2: User experience added
#31 Updated by sajolida 2019-06-06 18:53:21
- blocked by deleted (
)Feature #16080: Core work 2018Q4 → 2019Q2: User experience
#32 Updated by sajolida 2019-06-06 18:55:20
- blocks
Feature #16688: Core work 2019Q3 → 2019Q4: User experience added
#33 Updated by sajolida 2019-06-06 18:56:33
- Target version changed from Tails_3.15 to Tails_3.16
#34 Updated by sajolida 2019-07-20 20:50:54
Downloads stats for Etcher in April (28 days) are:
- Etcher-Portable.exe : 17463 88%
- Etcher.dmg : 2330 11%
- Total : 19793
#35 Updated by sajolida 2019-07-20 20:56:07
I tested the 2 alternatives that we identified for Etcher. See Feature #16553 and Feature #14447.
They are both okayish but with more UX pain points than Etcher and are little maintained.
I’m tempted to contact their upstream and see if they would be interested in fixing those glitches, possibly for money.
It would also be good to have someone from the Foundations team do a security and sustainability audit of both options.
I’ll wait until we decide something on this front before writing to Etcher.
@intrigeri: What do you think?
#36 Updated by sajolida 2019-07-22 12:34:32
In https://github.com/balena-io/etcher/issues/2497 Balena says that they fixed Etcher not respecting the privacy setting (aka “Anonymously report errors and usage statistics to balea.io”). It might be worth running Wireshark on it again and see what the difference really is.
#37 Updated by sajolida 2019-07-22 17:17:16
- Category set to Installation
#38 Updated by sajolida 2019-08-26 09:43:37
- Assignee deleted (
sajolida) - Target version deleted (
Tails_3.16)
I think that the next step belongs to the Foundations Team.
#39 Updated by sajolida 2019-11-21 17:55:25
- blocked by deleted (
)Feature #16688: Core work 2019Q3 → 2019Q4: User experience
#40 Updated by sajolida 2020-02-23 18:41:20
- related to Feature #17498: Test usbimager added