Zulip-desktop: Disable Zulip telemetry? Client connects to domains other than self-hosted server.

Created on 5 Apr 2019  路  18Comments  路  Source: zulip/zulip-desktop

All,

I am using the Zulip desktop client on macOS. I noticed the client tries to connect to the following domains (even without any content pasted in a channel that's related). Can the code be scrubbed to make sure the client doesn't send data to any place other than the Zulip server it's connected to?

Domains Zulip client has reached out to:

github.com
google.com
sentry.io
tabbott.net
gravatar.com

Enhancement Question in progress

Most helpful comment

gravatar.com
Not sure about this too. Maybe, some dependency we have uses this. Will have to look deeper for this.

This is used to fetch server tab icons. Icons are stored at gravatar.

All 18 comments

tabbott.net

Not sure where this is used, but all the others are present because we're using their tech to handle some tasks (for example, we use sentry.io for error logging).

We can probably intercept requests being sent by the app by using this Electron API, but I'm not sure if we have appropriate error-handling mechanisms on the app to take care of crashes if the app doesn't get data from these URLs.

Will need to check all the cases in which these requests are made.

Most of the domains you mentioned have one or other use in the functioning of the app.

  • github.com
    Used to auto-update the application.
  • google.com
    Used to resolve proxy (get proxy settings from system).
  • sentry.io
    Used for error logging and reporting to admins.
  • tabbott.net
    Not sure where this is being used. Maybe @akashnimare can shed some light on this..
  • gravatar.com
    Not sure about this too. Maybe, some dependency we have uses this. Will have to look deeper for this.

gravatar.com
Not sure about this too. Maybe, some dependency we have uses this. Will have to look deeper for this.

This is used to fetch server tab icons. Icons are stored at gravatar.

gravatar.com is used by the web app. And probably tabbot.net too.

zulip.tabbott.net is an alternative hostname for chat.zulip.org. I don't understand why the desktop app would be connecting to that hostname, though, unless it was explicitly requested.

No requesting to tabbott.net from the desktop app's side so it's mostly coming from the webapp. We might be using it somewhere.

Domains Zulip client has reached out to:
github.com
google.com
sentry.io
tabbott.net
gravatar.com

@sunrez ^^ all these urls are the part of the desktop + web app and we need to request them in order to have xyz features. For an example, we use github.com to update the desktop app to a newer version and if you block that url then you won't be able to get the auto-updates feature. Same goes with other urls as well. They are harmless + official part of the desktop + web app.

Hi guys,

First, all of your hard work and contributions is appreciated, really! I've tried a bunch of other apps (i.e. Mattermost, Rocket.chat) and find the features of Zulip to simply excel.

While I understand that you are using certain modules which rely on these external sites, can you put some option somewhere to enable / disable (i.e. opt-in or opt-out) this behavior?

I self-host Zulip for numerous reasons, one because I know the data isn't flowing through someone else's servers and I have control . Frankly, I think this is a major reason why people would self-host, as opposed to using something like Slack or Discord -- we know what data is going where. Funny enough, this capability is pretty true if you self-host Zulip and access via web browser (the web server doesn't need external connectivity) so it's strange the Desktop/Electron version has this stuff baked in.

Ultimately I know it would take time and effort to make these changes, and while it might seem like there's questionable "return on investment" it would be consistent with the idea of guaranteeing privacy and security to provide opt-in capability (for any feature that depends on an external site or service).

I think that's a reasonable request. The things we can potentially enable turning off are these:

  • github.com: An option to control whether auto-update runs. I think we already have one for whether to use the beta channel, and I think it's reasonable to offer an option to disable auto-update.
  • sentry.io: An option to control whether error reports are sent to the developer would be reasonable and standard.

This is fully under your control as the server administrator:

  • gravatar.com -- this comes from avatar images being served by Gravatar. That behavior is controlled by ENABLE_GRAVATAR in /etc/zulip/settings.py on your server -- not a desktop app issue.
  • Whether to render inline image and URL previews, which may require the app connecting to those URLs just like a browser would.

And this seems like something I don't understand the situation with:

  • google.com: From reading the code, I think we currently just use that URL to test the app's proxy configuration. It's unclear to me under what circumstances we would send a request to google.com directly, or if I'm missing something.
  • tabbott.net. You will need to provide details on what URL on tabbott.net is being requested; my guess is that it's an uploaded image or a server you connected to directly from the desktop app, because AFAIK we don't have any code to connect to that site. We have /etc/zulip/settings.py options to disable inline image previews for users who don't want that.

Okay, great. I think we could probably offer users to control the auto-update + sentry reports. @kanishk98, @vsvipul interested in this?

@akashnimare definitely interested.. Will look more into it in the evening.. Thanks for the update..

We already allow the user to turn off auto updates, right?
This is what it looks like on my app:

image

interested in this?

Definitely! @vsvipul since you're already looking into it, let me know how I can help.

google.com: From reading the code, I think we currently just use that URL to test the app's proxy configuration. It's unclear to me under what circumstances we would send a request to google.com directly, or if I'm missing something.

To get the proxy settings we need to pass an url to resolveProxy function, now that url can be literally anything. It could well be http://non-existing.domain as well and we would be able to retrieve the proxy configuration. We were unsure as to which domain to choose for this case, so we had chosen google.com. If needed we can change it to example.com instead.

If OP is building from source, you can change the url in the codebase to your internal url as well.

@zulipbot claim

Since we already allow an option to toggle auto-updates (from github.com), i've also made a PR to add an option to toggle Error Reporting (from sentry.io) in #732 .

I think using example.com would be a better choice for the proxy resolution check, since that's a special reserved domain that will never host an actual domain.

@timabbott Will make that change too in the PR.

Hello @vsvipul, you claimed this issue to work on it, but this issue and any referenced pull requests haven't been updated for 10 days. Are you still working on this issue?

If so, please update this issue by leaving a comment on this issue to let me know that you're still working on it. Otherwise, I'll automatically remove you from this issue in 4 days.

If you've decided to work on something else, simply comment @zulipbot abandon so that someone else can claim it and continue from where you left off.

Thank you for your valuable contributions to Zulip!

@zulipbot opened a PR waiting to be merged.

Was this page helpful?
0 / 5 - 0 ratings