WordPress and phone home

**ifranky** · 12-10-2009, 05:33 PM

Originally Posted by Otto

Knowing that 11% of all users run PHP 4 is very useful information.

Justs as useful as it would be for a hacker to know that 11% use WP2.8.1, especially when this data can be linked to urls.

And yes, Google does collect 'awesome data'.

**Otto** · 12-10-2009, 05:36 PM

Originally Posted by Elpie

So you trust MD5 hashes then? Decrypting these is not that difficult.

I'm sorry, but you are mistaken. "Decrypting" MD5 is not possible.

Brute force reversing an MD5 using a dictionary attack is possible, I grant you, for small sets of data (like unsalted passwords). However, there's no way on this planet for you to reverse this MD5 hash:
67b7f3f5b2575101804b136ffd2788f8

It cannot be done. Hashes are one-way functions.

**Brad** · 12-10-2009, 05:37 PM

Where specifically do you place that code? Into one file or several files and where in the file(s)? Thanks.

Originally Posted by Elpie

Yes, you can. The updates work just fine without the blog URL. This doesn't prevent too much information being sent with the theme and plugin update checks though.

You can also use this filter:

Code:

function privacy_remove_url($default)
{
  global $wp_version;
  return 'WordPress/'.$wp_version;
}

add_filter('http_headers_useragent', 'privacy_remove_url');

**chipbennett** · 12-10-2009, 06:19 PM

Originally Posted by Brad

Where specifically do you place that code? Into one file or several files and where in the file(s)? Thanks.

I assume one could place it in the theme's functions.php file.

**Brad** · 12-10-2009, 06:21 PM

I kind of thought that but want to be sure :)

Originally Posted by chipbennett

I assume one could place it in the theme's functions.php file.

**zamoose** · 12-10-2009, 08:22 PM

Originally Posted by chipbennett

I assume one could place it in the theme's functions.php file.

Or in a plugin residing in wp-content/plugins/ and correctly activated through the admin interface.

**Elpie** · 12-10-2009, 11:27 PM

A new plugin is going to be needed if the core team don't see sense on this.

For anyone looking at the plugins already available please note that the old 2.3 plugins can have unintended consequences.

The tinfoil hat plugin and Anonymous WordPress Plugin Updates plugin both replace the WordPress update.php core file. Those plugins use a modified update.php from WP 2.3. It is not advisable to use a hacked 2.3 file in a 2.8+ install.

Both plugins deal only with code that was around in 2.3. The HTTP API was not around then, but this uses the blog URL in the user-agent string. The old plugins don't prevent the sending of that user-agent.

Neither of these plugins anonymise the data sent with theme update checks (which weren't around in 2.3).

Finally, the so-called Anonymous WordPress Plugin Updates plugin is not anonymous - it simply replaces the blog URL with an URL for http://privacy.org
While the sentiments are understandable, using someone else's URL and sending this into the WordPress data collection is unethical at the very least.

At this point, there are some good plugins for disabling update checks altogether but no plugin for anonymising or removing data from the capture.

**Brad** · 12-10-2009, 11:59 PM

So the plugins for disabling update checks altogether effectively keep the data from being captured, is that correct? Specifically, what are those plugins?

and . . . what you are hoping for is a plugin that allows upgrades to continue but removes the questionable data if the powers that be are not willing to correct this issue.

**Elpie** · 12-11-2009, 01:22 AM

Originally Posted by Brad

So the plugins for disabling update checks altogether effectively keep the data from being captured, is that correct? Specifically, what are those plugins?

There are four reliable plugins that completely disable checks.

http://wordpress.org/extend/plugins/...s-core-update/

http://wordpress.org/extend/plugins/...lugin-updates/

http://wordpress.org/extend/plugins/...theme-updates/

And a plugin aimed at developers which can both log outgoing HTTP requests and optionally disable update checks: http://wordpress.org/extend/plugins/core-control/

Be aware of the implications though. If you disable checks you need to manually keep up-to-date with update releases.

**Elpie** · 12-11-2009, 01:27 AM

Originally Posted by Brad

. . . what you are hoping for is a plugin that allows upgrades to continue but removes the questionable data if the powers that be are not willing to correct this issue.

No, what I am hoping for is that the core team will realise that users need to be aware of what they are collecting, and why, and will decide to give us an opt-in that allows us to select which information we are prepared to disclose ;)

Realistically though - thats not going to happen.

So, second best is for a plugin to be developed that will allow us to keep some plugins and themes private from the update check, will allow us to send or not send server information such as PHP & MySQL versions, and which will allow us to opt-out of sending our blog URL's.

This could potentially be a good candidate for a new "canonical" plugin

Thread: WordPress and phone home

LinkBack

Thread Tools

Display

Posting Permissions