Mumble: FR: Public server list without pinging (do not disclose client IP to list servers)

your public-list-server could ping the servers instead. This way it is ensured that a server is online and connectable.

In that case the whole ping metric would be confusing since it wouldn't be _your_ latency anymore but the latency of some random server the user doesn't care about.

I think people who are that paranoid about being tracked would use TOR or a VPN anyways or would just punch in the address of the server they want to use manually.

I think people who are that paranoid about being tracked would use TOR or a VPN anyways or would just punch in the address of the server they want to use manually.

Exactly

I don't think this is necessary. If you don't want to share your IP address with unknown servers, then don't use the public server list (as will be possible once #4070 has been implemented).

If you are even afraid of sharing your IP address with your set favorite servers, then you can't connect to any server at all as that requires sharing your IP address.

I just don't see this as something that problematic :shrug:

In that case the whole ping metric would be confusing since it wouldn't be your latency anymore but the latency of some random server the user doesn't care about.

You missunderstand, the pinging in my idea is not about showing the ping in the list, it is there to ensure that the server that is reported is online and connectable.

If you are even afraid of sharing your IP address with your set favorite servers, then you can't connect to any server at all as that requires sharing your IP address.

Nonsense, it should be my decision who gets the IP.
It is unnecessary that every server gets it (I assume it's even more information).

In general:
I don't understand why this shouldn't be implemented, the misuse scenarios are obvious.

I assume it's even more information

It's a single UDP packet (per ping) with 16 bytes of data. One half of which are 0s (for the server to fill in) and the other half is a timestamp with random offset (presumably to obfuscate timezone, though that's not clear from the code).

https://github.com/mumble-voip/mumble/blob/2caae7960e3da0aac943c3eac82b55420c4a2721/src/mumble/ConnectDialog.cpp#L1695-L1727

I mean, actually most of the logic should already be present since there are booleans that control pinging and name lookup.
However I have no clue what these have to do with the proxy settings.

https://github.com/mumble-voip/mumble/blob/22efc90a9fd86ebdd18a340a40b8c904da33db59/src/mumble/ConnectDialog.cpp#L908-L911

However I don't think it's a good idea to add more clutter to the UI or make the usage less intuitive (like requiring the user to click on a server to ping it) for a feature that the average user doesn't care about.
We could expose these settings in the config file. People who have enough tech know how to care about something like this should also be comfortable with editing config files.

Nonsense, it should be my decision who gets the IP.

Absolutely. If you don't want to share your ip address don't use the public server list.

I don't understand why this shouldn't be implemented, the misuse scenarios are obvious.

They are not. The only example you have provided in the discussion on the commit was invalid.

And why it shouldn't be implemented is simple: we don't want to bother the users at every corner to agree or disagree to a certain thing. That'd suck in the same way as all those cookie notifications on websites suck.
And even if you always default to how things are right now and only provide the option in the settings, it's just not worth it.
Imo the cost/benefit ratio definitely sucks for this proposal...

Imo the cost/benefit ratio definitely sucks for this proposal...

You already implemented a warning, whats the cost of letting the user decide to use the public server list without pings or per server click pings?
I think this would even be the better solution then letting them disable it.

You got much more nonsense options everywhere.

You got much more nonsense options everywhere.

And that's a reason for adding another one?

I think this would even be the better solution then letting them disable it.

It's not. For someone who really has to take care about its IP, even pinging the Mumble main server to fetch the list could be problematic (as this goes through a DNS).

You already implemented a warning

That's a legal issue in the EU. Kind of a different issue than this.

@Popkornium18

You already implemented a warning

That's a legal issue in the EU. Kind of a different issue than this.

To avoid potencial confusion I am talking about this: https://github.com/mumble-voip/mumble/commit/b1e8910c606c9f4e88e0f9016b54367643762696#diff-c2d2054c7e3047e3d86945781dcea8b9R1275
I assume you refer to that as well.
Then I don't see much difference, because you implemented the warning for everyone.
My "idea" might not be a legal requirement (though that is a debate on its own), but it would just be one small additional step for the users, allowing users to use the public server list in a more privacy friendly manner.

We could expose these settings in the config file. People who have enough tech know how to care about something like this should also be comfortable with editing config files.

While I disagree with not implementing it in the UI, I appreciate the potencial implementation :+1:.

I find the argument that only users who are able to edit a config file or configure VPNs,Tor (...) are worthy for extended privacy protections is little bit ridiculous and also discriminatory.

Pinging every stupid server in a country when I only want to look and connect to a specific server is unnecessary. How often do you choose a server by ping latency (+/- 10ms) only? And how much does it tell me about the ping latency for all participants?

I don't see the enormous costs in giving a user the choice between no server list at all and the server list without pings.

I don't see the enormous costs in giving a user the choice between no server list at all and the server list without pings.

Then go ahead and implement it :shrug:

I find the argument that only users who are able to edit a config file or configure VPNs,Tor (...) are worthy for extended privacy protections is little bit ridiculous and also discriminatory.

That's just a straw man argument. Never said that.

I agree. Since you guys are very vocal and extremely passionate about this issue it would only be fitting if you would implement it.

That's just a straw man argument. Never said that.

What did you say then? Or is your argument also just a straw man argument?

I agree. Since you guys are very vocal and extremely passionate about this issue it would only be fitting if you would implement it.

Again, only the coders are worth to have an opinion about privacy?

What did you say then? Or is your argument also just a straw man argument?

My point is that some amount of technical knowledge is required to even _understand_ the privacy implications of the public server browser and that it is a reasonable assumption that people with this much technical knowledge are also able to modify a config file. I didn't say anything about "worth". Other projects make the same assumption. That's why you have to go to about:config in Firefox to turn off webrtc or stuff like that, because people that care and understand the issue can still turn it off while non technical users aren't confused by all the clutter in the regular settings menu that they don't understand.

Again, only the coders are worth to have an opinion about privacy?

No, you can have your opinion, but nobody is paid to develop mumble. Why would anyone use their precious free time to implement features they do not care about for no pay? If you want to make someone else implement it, put a bounty on this issue. If you don't want to do that, you'll have to wait for someone that wants to implement it :shrug:

Tbh the whole "only XY are worth of privacy" argument is really pushing me even further away from implementing this. I think the whole argument is pretty silly and doesn't get us anywhere.

And besides: If a non-tech-savy user cares about privacy, they can disable the public server list. We added a switch for that right there when you try to use the list for the first time.
Thus this issue isn't even about the privacy concern, but rather about you not liking the implementation. Therefore the whole privacy-thing at this point is more or less a strawman-argument.

While I do agree that there are possibilities to improve the current implementation, I just don't think it's worth it as I don't think a lot of users will care about their IP address being sent to the servers for a ping. Thus I think my time is much better spent on other issue than this one, 'cause the changes that are required in order to make the public server list usable without the pings require backend-changes and is therefore not a matter of "just fixing" it.

If this is very important to you, then we're back at what Popkornium said: You either have to do it yourself or have to pay someone to do it for you. That's simply because the devs are either fixing/improving what they need or what they think will benefit big parts of the user base. And currently this issue just doesn't appear to fulfill either criteria.

So I don't want to start a fight here, but to get some things straight (note this is also about principle in general not only about this specific feature):

My point is that some amount of technical knowledge is required to even understand the privacy implications of the public server browser and that it is a reasonable assumption that people with this much technical knowledge are also able to modify a config file.

Thats exactly the point.
Privacy shouldn't be only something for people who understand the technical details.
So by default there should be an implementation that respects/ensures privacy.

Why would anyone use their precious free time to implement features they do not care about for no pay?

Because there are some things that simply have to work or be fixed:

• technical security (aka serious bugs, bad implementations etc.)
• privacy

I don't say "you have to implement feature xy" but I say "you have to make the software secure and respect privacy".
I think thats valid.
Of course no one has to do anything (in an open source project).
But either you communicate that something is insecure or it needs to be fixed, everything else is bad (and often even illegal) behaviour.

And besides: If a non-tech-savy user cares about privacy, they can disable the public server list. We added a switch for that right there when you try to use the list for the first time.
Thus this issue isn't even about the privacy concern, but rather about you not liking the implementation.

I already explained before that this is a bad point of view.
It says "don't use the feature or accept bad privacy".
That's not how things should work.

cause the changes that are required in order to make the public server list usable without the pings require backend-changes and is therefore not a matter of "just fixing" it.

Is it really that complicated?
I would imagine that you disable two things:

1. The ping itself (should be seperate already, because it needs to be triggered)
2. the ping column in the server list

One more argument:
I just checked teamspeak and they don't seem to have pings implemented.
I guess thats for a reason.

I think we are discussing two use cases of the public server list here and it is worth pointing them out separately:

• Use it to look for a specific server - by name
• To scroll through or find a public server in general, to explore

For the latter case you very probably want the pings.

For the first I can see how no pings may be viable. But a search or filter functionality is missing (I was kinda thinking we had something like that but I guess not part of the referenced PR).

Currently the pings are an integral component of the public server listing. I think the consent thing is a good thing and clarifies what it does even for novice users. (Although I would like to improve on it.)

I guess we could offer the option to list servers without ping status. I do think this is a very niche thing for very concerned users. But the setting would be publist, publist without pings, no publist.

I was initially very sceptical, and the question of who would implement this is still open, but I think that this would be viable.

It is very niche, users do not have to use the server list (we have many alternatives; direct favs, pasting from copied address, clickable urls). For the most part this is academical. Most users will not care, and I would imagine even the publist itself is not used by the majority of users.