Bug 229989

Summary: Akregator allows feeds to gather data on article reading habits
Product: [Applications] akregator Reporter: Jaak Ristioja <jaak>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED UNMAINTAINED    
Severity: normal    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Unspecified   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Screenshot of (an unbranded version of) Mozilla Thunderbird handling a similar situation.

Description Jaak Ristioja 2010-03-08 20:21:17 UTC 
Version:            (using KDE 4.4.1)
Installed from:    Gentoo Packages

When opening an article, Akregator automatically downloads all requisites found in the <description> (e.g. if images etc are specified in HTML; perhaps even flash or AJAX?). Generally this generates extra HTTP(S) requests to remote server(s), leaking information about the users activities, i.e. which articles they browse, and possibly info about how long they read an article before switching to another article, etc.

The man in the middle, even when the user is using HTTPS, has quite good chances to figure out the exact articles being read (given he can determine the endpoint of the HTTPS connection), which are probabilistically among those new articles which the user has not previously read.

Hopefully it will be configurable per-feed, whether such requisites are downloaded or not, and with an action somewhere to force download of requisites of the article currently open.

Please fix these privacy leaks. Thanks!
Comment 1 Jaak Ristioja 2010-06-02 11:45:35 UTC 
Created attachment 47598 [details]
Screenshot of (an unbranded version of) Mozilla Thunderbird handling a similar situation.

This is also what Akregator could do on a per-feed basis. An "always show remote content" checkbox could also be added to the feed properties dialog.
Comment 2 Denis Kurz 2016-09-24 19:43:55 UTC 
This bug has only been reported for versions before 4.14, which have been unsupported for at least two years now. Can anyone tell if this bug still present?

If noone confirms this bug for a Framework-based version of akregator (version 5.0 or later, as part of KDE Applications 15.08 or later), it gets closed in about three months.
Comment 3 Denis Kurz 2017-01-07 21:54:06 UTC 
Just as announced in my last comment, I close this bug. If you encounter it again in a recent version (at least 5.0 aka 15.08), please open a new one unless it already exists. Thank you for all your input.
Comment 4 Jaak Ristioja 2018-03-14 20:51:48 UTC 
(In reply to Denis Kurz from comment #3)
> Just as announced in my last comment, I close this bug. If you encounter it
> again in a recent version (at least 5.0 aka 15.08), please open a new one
> unless it already exists. Thank you for all your input.

Since this still happens with at least version 5.5.3, I now filed a new bug: https://bugs.kde.org/show_bug.cgi?id=391865