Whilst small files can be uploaded to forum posts, if you have a custom theme or module to contribute please add it on the "Add-ons" page.
  • Page:
  • 1

TOPIC:

Custom modules: request for additional information about privacy and security 1 week 1 day ago #1

  • ungeahnt
  • ungeahnt's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
  • Posts: 160
Hi,

on the page Modules and themes various custom modules are listed. While testing the 'topola module' I noticed that the wt privacy settings are completely ignored and that all GEDCOM data seems to be transferred to a third server for processing.

webtrees itself is a very secure software and I was surprised to see custom modules listed here - without any warning - that completely bypass the privacy settings.

Of course webtrees has no influence on what software and custom modules an admin installs. Also webtrees can never check all modules 100% for their trustworthiness. However, it would be helpful that every module developer who lists his modules on this page provides a self-disclosure about the compliance with wt privacy settings and a general risk assessment. Like:

- Compliance with wt privacy settings (control panel -> 'Privacy'): yes / no
- Data are transmitted to third parties: yes / no
- General risk rating: low (e.g. css/layout mods) to high (e.g. read/write database/GEDCOM data)

Of course, one is responsible for what he or she installs, but you could see at first glance whether a module is suitable at all.

Is it possible to include this information by default?

Greetings
Dieter
Schmidt ⚭ Schwab (Sudetenland) | Hauer ⚭ Bühler (Bayern / BW) | Маринов ⚭ Шаламанова (BG)
webtrees 2.0.17 | PHP 7.4 | MariaDB 10.3.27 | Apache 2.4 | Debian 4.19.181-1 (2021-03-19) x86_64

Please Log in or Create an account to join the conversation.

Custom modules: request for additional information about privacy and security 1 week 1 day ago #2

  • bertkoor
  • bertkoor's Avatar
  • Offline
  • Platinum Member
  • Platinum Member
  • Greetings from Utrecht, Holland
  • Posts: 2503
Hmmm, I'm not so sure... Have you read pewu.github.io/topola-viewer/#/ ?

When using the "load from file" option, this site does not send your data anywhere and files loaded from disk do not leave your computer.
When using "load from URL", data is passed through the cors-anywhere service to deal with an issue with cross-site file loading in the browser (CORS).


Edit: the issue was already reported to the author of that module:
github.com/PeWu/topola-webtrees/issues/12
It won't hurt if you report your findings in that issue tracker as well.

I saw in the source code an attempt at checking access. No idea what's wrong there...
stamboom.BertKoor.nl runs on webtrees v1.7.13

Please Log in or Create an account to join the conversation.

Last edit: by bertkoor.

Custom modules: request for additional information about privacy and security 1 week 1 day ago #3

  • ungeahnt
  • ungeahnt's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
  • Posts: 160

Hmmm, I'm not so sure...


Hi Bertkoor,

first to the topola module: I've seen the github-issue and I've also seen that there was no activity since May'21. So maybe this is the 'final' state? I have understood the functionality in such a way that the GEDCOM-Data is send to pewu.github.io/topola-viewer and this site will be embedded as an iframe in wt. Beside this 'send-functionality' I couldn't find code - in the module-src-files - that's able to generate the graphics output. Therefore, I assume that the GEDCOM data goes to third parties. Should I be wrong, then just let me know.

And second: the topola-module is only one example. I think that the requested information about the basic concept (regarding privacy and security) would be very helpful for all users.
Dieter
Schmidt ⚭ Schwab (Sudetenland) | Hauer ⚭ Bühler (Bayern / BW) | Маринов ⚭ Шаламанова (BG)
webtrees 2.0.17 | PHP 7.4 | MariaDB 10.3.27 | Apache 2.4 | Debian 4.19.181-1 (2021-03-19) x86_64

Please Log in or Create an account to join the conversation.

Custom modules: request for additional information about privacy and security 1 week 1 day ago #4

  • ungeahnt
  • ungeahnt's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
  • Posts: 160

When using the "load from file" option, this site does not send your data anywhere and files loaded from disk do not leave your computer.
When using "load from URL", data is passed through the cors-anywhere service to deal with an issue with cross-site file loading in the browser (CORS).


btw: I understand it in the way that if you use "load from file", the topola-server 'pewu.github.io' does not send the data to others ... but you send your GEDCOM data to topola. Additionally when loading via URL, a fourth party comes into account (CORS).

Please do not misunderstand: I am not interested in whether this is a trusted server or not. It's just about having a short overview of how the respective module is designed.
Dieter
Schmidt ⚭ Schwab (Sudetenland) | Hauer ⚭ Bühler (Bayern / BW) | Маринов ⚭ Шаламанова (BG)
webtrees 2.0.17 | PHP 7.4 | MariaDB 10.3.27 | Apache 2.4 | Debian 4.19.181-1 (2021-03-19) x86_64

Please Log in or Create an account to join the conversation.

Custom modules: request for additional information about privacy and security 1 week 18 hours ago #5

I have had some exchanges with Greg on this. Webtrees sends your entire GEDCOM file, filtered by your current access level, to
the tupola server.

However, someone has some details (e.g. "I logged out of webtrees, and the tupola tree shows living people), then he is inclined to believe it is working as intended.
Rob
www.skatekey.net ( webtrees beta GitHub)
PHP 8.0.13, Apache 2.4.43,
Hosted at tigertech.net

Please Log in or Create an account to join the conversation.

Custom modules: request for additional information about privacy and security 1 week 12 hours ago #6

  • ungeahnt
  • ungeahnt's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
  • Posts: 160

I have had some exchanges with Greg on this. Webtrees sends your entire GEDCOM file, filtered by your current access level, to the tupola server.

So, when I logged in as admin and I use the topola module, then the 'detailed' GEDCOM data with the admin privacy settings will be sent to topola. That's clear. When I logged out and use again the topola module, then I have seen in my tests private details of living people. So maybe the former GEDCOM data (with admin privilegs) is stored or cached on topola server (or somewhere else, like CORS)?

However, someone has some details (e.g. "I logged out of webtrees, and the tupola tree shows living people), then he is inclined to believe it is working as intended.

Sorry, I don't understand what you mean by that.
Dieter
Schmidt ⚭ Schwab (Sudetenland) | Hauer ⚭ Bühler (Bayern / BW) | Маринов ⚭ Шаламанова (BG)
webtrees 2.0.17 | PHP 7.4 | MariaDB 10.3.27 | Apache 2.4 | Debian 4.19.181-1 (2021-03-19) x86_64

Please Log in or Create an account to join the conversation.

Custom modules: request for additional information about privacy and security 1 week 7 hours ago #7

  • fisharebest
  • fisharebest's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 15064
> Sorry, I don't understand what you mean by that.

Someone just said "privacy is ignored" - with no further details.

If they had said "visitors get to see living individuals which should be private" - then there is something that I could investigate.
Greg Roach - This email address is being protected from spambots. You need JavaScript enabled to view it. - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

Custom modules: request for additional information about privacy and security 5 days 11 hours ago #8

  • ungeahnt
  • ungeahnt's Avatar Topic Author
  • Offline
  • Junior Member
  • Junior Member
  • Posts: 160

> Sorry, I don't understand what you mean by that.

Someone just said "privacy is ignored" - with no further details.

If they had said "visitors get to see living individuals which should be private" - then there is something that I could investigate.


ok, there I feel slowly addressed ;)

As I said, topola is only one of the modules and what kind of modules will come in the future nobody knows. That's why I created this thread and asked to extend the information about the modules by the aspects 'privacy' and 'security'.

The discussion about topola should rather be moved to a new thread. Whoever wants to can do this and if there are still questions, then I can also give feedback. Since there was not even a response from the developer on the open issue and topola in my opinion processes the data externally, it was no longer interesting for me.
Dieter
Schmidt ⚭ Schwab (Sudetenland) | Hauer ⚭ Bühler (Bayern / BW) | Маринов ⚭ Шаламанова (BG)
webtrees 2.0.17 | PHP 7.4 | MariaDB 10.3.27 | Apache 2.4 | Debian 4.19.181-1 (2021-03-19) x86_64

Please Log in or Create an account to join the conversation.

Do you need a web hosting solution for your webtrees site?
If you prefer a host that specialises in webtrees, the following page lists some suppliers able to provide one for you: 
  • Page:
  • 1
Powered by Kunena Forum